Full Disclosure mailing list archives
Re: Windows Messenger Popup Spam - advisory amended
From: jh <jh () dok org>
Date: Wed, 25 Jun 2003 22:31:23 -0500
On Wed, Jun 25, Joe Stewart wrote:
On Monday 23 June 2003 05:19 pm, jh wrote:1026 is ephemeral, it may not always be this port.I'd say it's dependent on the the startup order of other listeners. Ephemeral implies it is short-lived. If you don't install other services that use port 1026 it will probably continue to be bound to port 1026 indefinately. I've been told that some Windows 2000 server platforms may have messenger listening on port 1027 due to other services starting first, but popup spammers are typically targeting the home user running WinXP.
Yah, you are correct. Ephemeral probably wasn't the best choice of wording, but you understood what I meant anyway.
This is an excellent paper; is it yours?
Yes it is, thanks.
I have found however, a few points of difference between what the paper describes of the protocol and what I've observed in practice. The paper describes a much more elaborate exchange of packets than the spammers are actually using.
This may be entirely dependent on the handful of the commercial "advertising tools" that I selected to look at - and clearly several of them appeared to be ripoffs of each other. Though to be fair, I have observed this exchange of packets in real life (ie; not caused by my own testing, just allowing spammers access to my machines).
The paper says that the conv_who_are_you packet must be answered by the client before the popup will occur.
Your observations are very interesting. I could never get a popup to display without this transpiring. I noticed other people have had the same results (http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm, as an example).
This doesn't seem to be necessary, as I have been able to merely replay the same UDP packet payload again and again, on either port.
Is that UDP packet you are replaying the first packet of the conversation? I'd be interested in looking at it (and what else you are doing). If you could send that to me off list, I'd appreciate it. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Windows Messenger Popup Spam - advisory amended Joe Stewart (Jun 25)
- Re: Windows Messenger Popup Spam - advisory amended jh (Jun 25)