If you thought spam e-mails were bad

[Pave Low]

Messenger Spam by Steven J. Vaughan-Nichols

Have you or your customers been peacefully doing your work on a Windows computer, without even Outlook or Internet Explorer on in the background, when suddenly your spreadsheet is covered with what appears to be an administration message, but instead of telling you to "log off now because the server is going down for emergency maintenance," it tells you that "you can have larger breasts if you only buy and use a special HGH lotion for $39.95?" And if you're a guy, you're a little non-plussed by this?

Congratulations! The latest spam tool, Direct Advertiser, or one of its close relatives has just attacked you. And, if I were in your shoes, I'd want to crawl over the Internet connection and make the spammer drink his HGH lotion until he chokes.

And, who could blame you? Direct Advertiser works by taking advantage of yet another built-in Windows security flaw. In this case, it's that anyone can use Microsoft Messenger Service to send administration messages to networked users-even if your only network connection is a modem hook-up to the Internet. This so-called "Messenger Spam" has nothing to do with Microsoft's IM services; Microsoft Messenger is an inadequately protected system administration message service that's similar to Unix's better-protected wall command.

If you knew what you were doing, you could always take advantage of this well-known hole. What Direct Advertiser has done is make it possible for anyone with a product to sell and the morals of a used care salesman on commission and an expensive girl friend to barge into your computer even if they couldn't tell Windows 3.1 from Windows XP.

How it Works

This spam technique works in one of two ways. In the first, it addresses the documented TCP port 139 with the appropriate commands to generate the spam message. In the second, which is a bit more clever because it uses a back door, un-documented approach, it connects with UDP port 135.

Port 135 is usually used as the end-point for Remote Procedure Calls (RPC)s. 139 is assigned for Messenger duty. It turns out though that if you don't have NetBIOS on, the Messenger service can't connect to 139 and it will continue on its way to UDP 135. Or, in the case of Direct Advertiser, it skips checking TCP 139 and heads straight to annoying you via port 135.

How to Stop It

Your users could probably care less about that, what they want is for you to stop it, Now!

Annoying enough, it's easy to stop. In fact, even though hundreds of thousands of users are being bugged by Direct Advertiser, I've never even seen a live case on my machine. That's because I use a restrictive firewall that only allows in network traffic that I've expressively allowed.

So, how do you fix it for a user? Easy, if you an end-user with a single machine, have them install ZoneAlarm; Norton Firewall or the like. Most personal firewalls automatically stop traffic on both these ports.

If they're in a SOHO or small business, I recommend either setting up a cheap PC, even a 486 will do, with Linux or, if you must, Windows, with a firewall program, like one of the above or their slightly bigger brothers, running on it and nothing else. The more programs running on a box, the more chances of something going wrong and fouling up the firewall. For example, I made this mistake myself by assuming I could run ZoneAlarm with Setiathome in the background on a machine running Windows 98SE. What I found was that if Setia couldn't reach its home server because it was down, it would crash and lock up ZoneAlarm at the same time. But, the Internet Connection Sharing session I was using to connect my LAN with a DSL router would keep going. So, unless I checked the firewall box, I wouldn't know that my network was no longer protected from attacks. One box, one service, it really is the best way to handle a network no matter how tempting the idea is to run multiple services on a single server..

Once you have a firewall system set off, you then you it as a bastion system between the users and their Internet connection, usually some kind of router. It doesn't have to be a dedicated PC. You might also want to use a firewall appliance like SonicWall's SOHO3 or one of NetScreen's low-end firewalls. I've used their equipment for years and I can recommend either company's products.

Beyond that, both companies also produce firewalls for bigger enterprises, and they're always companies like WatchGuard that specialize in industrial sized firewalls My own rule of thumb is that if I have traffic loads of over a megabyte per second of Internet traffic for more than a hour a day, it's time to get a serious firewall.

The bottom line, though, is that any firewall set to a decent level of security would have stopped Direct Advertiser attacks cold.

[Pave Low]

The company actually seems proud of the monster they’ve unleashed;

DIRECT ADVERTISER

The newest technology in online marketing!

• Not getting results from email marketing?

• People not reading your emails?

• Need geographical targeting?  

Warning! There are several scammers out there claiming that their software is the original one. We are not associated with any of these individuals or businesses. We do not have any resellers of our software.

Some of these scammers didn't even take the time to change the wording on their website, they copied ours as it is. Be extremely careful who you buy software from.

You've come to the right place! We have developed a software that will send your messages directly to the computer screen of the people you wanted to see your advertising. Instantly!

No more waiting, no more email filters to fight, relays and proxies to find. Just compose your message and you are ready to start your campaign.

85% of all consumer computers are able to display the messages you are sending to them with this software. Click here to see what a sample message looks like when you receive it on your own computer.

Important note: This program does not use any backdoors, exploits or hacks to get into your computer. It uses a simple 'NET SEND' command incorporated into your operating system. Anyone can send a message to almost anyone on the internet using this command.

The ability to receive these messages is incorporated into your Operating System by default!

This software does not hack into or take control of your computer! Our program automates this process to send to multiple IP addresses.

This software is the best alternative to bulk email. Why? Here are the reasons:

• There are no email lists to worry about. Bulk email is regulated by different laws in different states, instant messages are not.

• Bulk email is sent to an email address which sometimes is not even checked. Messages delivered by this program are delivered straight to the screen of your client.

• Responses to emails come in days later sometimes, when people read their emails. Responses to DirectAdvertiser messages are as instant as the messages. Message arrives, people go check out your website.

• These messages are completely anonymous and virtually untraceable. Bulk email will cause you trouble with your ISP if you are not using special software to hide your IP address. With this program your IP address never shows up anywhere.

• Response rate is a lot higher, which means more business to you.

• Delivery rates are instantly presented to you. You can see how many messages were delivered and actually seen by people

[NightCrawler]

When is this kind of thing going to be stopped?

The hackers of the world need to be targeting these guys, not GR.net.

[Grail]

And here's me unable to uninstall Messenger because its integrated itself into Outlook Express.

Typical

[Pave Low]

And here's me unable to uninstall Messenger because its integrated itself into Outlook Express.

Typical  

I say unto you, “Go forth and get thyself a decent firewall” and a pox upon the creators of this foul abomination.

[Killa_N_Manila]

I don't use msn messenger, and I would like to get rid of it off my comp. O well I'll just set up my firewall if any of this crap starts getting to me.

[MrMacca]

Here is a Way you can stop those Messages Appearing on your Screen:

Note this method is for Win2k, so might be different for other users.

Right click on your MY COMPUTER icon and then goto MANAGE.

In the Tree to the left, it should have one section named - Services and Applications

Highlight it and expand the Tree.

On my Screen there are now 2 new entries - WMI Control and Services. Click Services so it is highlighted.

Then in the Section to the right, look for where it says Messenger, the Description should say something like - Sends and receives messages transmitted by administrators or by the Alerter service.

Double click this and then change where it says Status Type to Disabled

That should now stop those annoying messages appearing.

Hope it helps

MrMacca