Re: Source of Windows PopUp SPAM

[Ron Trenka <ron () zowiedigital com>]

on 10/15/02 12:29 PM, Lawrence Baldwin at baldwinL () mynetwatchman com wrote:

> We've identified a commercial, Windows-based SPAM package which sends SPAM
> via popups (all for $699).
> I've confirmed that this particular package (which I can't name, yet..)
> sends popups via MS RPC.
> I suspect this package is running on these Linux systems under VMWARE
> emulated Windows sessions.
>
> What is also interesting is that some users, despite running personal
> firewalls, are still reporting getting these popups.  This probably explains
> the developers choice to use MS RPC (udp/135) for delivery instead of a
> straight Netbios SMB call (tcp/139).  MS RPC would be less overhead, but
> also has the potential to reach more people as even those with firewalls are
> often giving 'svchost.exe' server priviledges because they assume it's
> necessary:
>
> http://www.dslreports.com/forum/remark,4718327~root=security,1~mode=flat

Anyone have a way to disable this on W2K and NT 4.0 servers?

***********************************************************
* Ron Trenka              | "You do not need a parachute  *
* Zowie Digital Media     | to skydive.  You only need a  *
* www.zowiedigital.com    | parachute to skydive twice."  *
* ron () zowiedigital com    |          www.DarwinAwards.com *
* (212) 627-4991 x22      |                               *
***********************************************************




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com