[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200306202237.46271.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Windows Messenger Popup Spam on UDP Port 1026
Windows Messenger Popup Spam on UDP Port 1026
URL: http://www.lurhq.com/popup_spam.html
Release Date: June 20, 2003
Author: Joe Stewart
LURHQ Corporation has observed traffic to large blocks of IP addresses
on UDP port 1026. This traffic started around June 18, 2003 and has
been constant since that time. LURHQ analysts have determined that the
source of the traffic is spammers who have discovered that the Windows
Messenger service listens for connections on port 1026 as well as the
more widely-known port 135. Windows Messenger has been a target for
spammers since late last year, because it allows anonymous pop-up
messages to be displayed on any Windows system running the messenger
service. Due to widespread abuse, many ISPs have moved to block
inbound traffic on UDP port 135. It appears the spammers have adapted,
so ISPs are urged to block UDP port 1026 inbound as well.
It is possible to disable the messenger service on some platforms
following the instructions below. However, the fact that you can
receive these messages points to the fact that your computer is
unsecured and vulnerable to other possible attacks in the future.
Disabling the messenger service will stop the pop-up spam, but will
not protect you in any other way. Home users are encouraged to install
personal firewall software to block unauthorized connections to their
computers. Users are discourged from purchasing specialized Windows
Messenger popup blocking software as it is often sold by the same
company that is sending the popups.
To disable the Messenger Service, follow the instructions for your
Windows version:
Windows XP Home
* Click Start, then click Control Panel.
* Double-click Performance and Maintenance.
* Double-click Administrative Tools.
* Double-click Services.
* Scroll down, highlight and right-click on Messenger and choose
Properties
* In the "Startup type" list, choose Disabled.
* Click Stop, and then click OK.
Windows XP Professional
* Click Start, then click Control Panel.
* Double-click Administrative Tools
* Double-click Services
* Scroll down, highlight and right-click on Messenger and choose
Properties
* In the "Startup type" list, choose Disabled.
* Click Stop, and then click OK.
Windows 2000/NT
* Click Start, go to Settings, then click Control Panel.
* Double-click Administrative Tools.
* Double-click Service.
* Double-click Messenger.
* In the "Startup type" list, choose Disabled.
* Click Stop, and then click OK.
Windows 98/ME
The Windows Messenger Service cannot be disabled
--
About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security
Services. Founded in 1996, LURHQ has built a strong business
protecting the critical information assets of more than 400 customers
by offering managed intrusion prevention and protection services.
LURHQ's 24X7 Incident Handling capabilities enable customers to
enhance their security posture while reducing the costs of managing
their security environments. LURHQ's OPEN Service Delivery(TM)
methodology facilitates a true partnership with customers by providing
a real time view of the organization's security status via the
Sherlock Enterprise Security Portal. For more information visit
http://www.lurhq.com/
Copyright (c) 2003 LURHQ Corporation. Permission is hereby granted for
the redistribution of this document electronically. It is not to be
altered or edited in any way without the express written consent of
LURHQ Corporation. If you wish to reprint the whole or any part of
this document in any other medium excluding electronic media, please
e-mail advisories@...hq.com for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties implied or otherwise with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information.
Feedback
Updates and/or comments to:
LURHQ Corporation
http://www.lurhq.com/
advisories@...hq.com
Powered by blists - more mailing lists