By Tim Mullen I hate spam. I know "hate" is a strong word, but it is the truth. I think
spammers should be strung up and beaten like a pinata on Cinco de
Mayo and then set on fire.
I hope that aliens are not monitoring spam in order to make a value judgment
as to whether or not to vaporize the earth; clearly the universe does not
need a race of creatures endowed with diminutive genitalia that must
refinance their house in order to afford a mail order diploma or a new
satellite dish. Of course, they would spare Nigeria, as it is clearly a
country populated entirely of Ministers of Something, each with 28 million
dollars in the bank just waiting to be dispersed to anyone willing to give
them the assistance they so urgently need.
Who is buying this stuff? Apparently it must be lucrative or we would not
be seeing so much of it. I understand the law of averages and that only a
fraction of a percent of the total spam broadcast needs a response to make
it profitable, but how many people really buy toner cartridges from an
Not only is spam a waste of bandwidth and system resources, but the
purveyors of spam are getting better and better at delivering it-- dealing
with it is a constant battle. Blacklist servers, gateway filters, and third
party client apps can help cut down on spam, but something always seems to
If all of that were not enough, spammers have now begun moving outside of
e-mail, and are leveraging idiosyncrasies with other network services in
order to push their content.
Direct Advertiser is one such marketing product. As reported last week, if
you give this product
an IP range, it will deliver your message directly to Windows users whether
they want them or not. These are not e-mails -- these are pop-up message
windows from the Messenger Service that deliver in-your-face spam right to
the recipients interactive session. For the low low price of $700, you too
can cheese your way into the spam market by delivering unsolicited
advertisements directly to a user in the most irritating way yet.
A BETTER MOUSETRAP. Mind you, Messenger Service or pop-ups are nothing new. Many, many years
back, we use to take perverse pleasure in scanning for open NetBIOS ports on
unsuspecting machines, using "net send" to display a harmless "You hacked!
All of your Base are belong to us!" message on the console, and watching for
the panicked user to take the box offline. Hey, it was fun at the time.
Back then, you had to have open NetBIOS ports for that to work -- you had to
be able to hit the box with TCP 139. While this is still an issue
(unfortunately), it is not as common as it used to be. The difference with
this product is that it uses UDP 135: the RPC endpoint mapper. This is the
part that has stumped many sys admins, and I was a bit taken aback myself. I
was well aware that one could message someone else over TCP 139, but I had
no idea that you could invoke the messenger service via the end point
After a little experimentation, I found that the capability of using UDP 135
was built into "net send" all along.
If you have NetBIOS bound to your interface, someone using net send will, by
default, pipe the message over SMB to TCP 139. But if NetBIOS is not bound
to the interface, net send will use UDP 135 instead. It takes the "net"
command a bit longer to figure this out, but it does work.
The Direct Advertiser product just skips the preliminaries, knowing that
smart system administrators close TCP 139, and goes right for the
undocumented back door.
That bugs me. It's not just that nobody knew that you could do it, it's
that you can do it in the first place. The end point mapper is supposed to
map clients to available RPC ports -- you should not be able control
services via unauthenticated UDP packets.
Granted, you should not have UDP 135 open to the net anyway, but it is
actually a quite common thing to see. The real question, which we should
probably pose to Microsoft, is what other surprises are in store through
this overlooked entryway into our systems? Dave Aitel of Immunity has
already published a vulnerability where an unauthenticated attacker can
disable the RPC service via UDP 135, thus crippling many other network
services. It is reasonable to expect other issues in the future.
The lesson in both cases is to turn off services you don't need and to only
allow required ports to be open. That way, when the spammers build a
better mouse trap, you won't be the first to step on it. SecurityFocus Online columnist Timothy M. Mullen is CIO and Chief
Software Architect for AnchorIS.Com, a developer of secure, enterprise-based