Busting Pop-up Spam

Nuisance messaging demonstrates the boundless ingenuity of spammers. Here's how to nip it in the bud

By Tim Mullen

I hate spam. I know "hate" is a strong word, but it is the truth. I think spammers should be strung up and beaten like a pinata on Cinco de Mayo and then set on fire.

I hope that aliens are not monitoring spam in order to make a value judgment as to whether or not to vaporize the earth; clearly the universe does not need a race of creatures endowed with diminutive genitalia that must refinance their house in order to afford a mail order diploma or a new satellite dish. Of course, they would spare Nigeria, as it is clearly a country populated entirely of Ministers of Something, each with 28 million dollars in the bank just waiting to be dispersed to anyone willing to give them the assistance they so urgently need.

Who is buying this stuff? Apparently it must be lucrative or we would not be seeing so much of it. I understand the law of averages and that only a fraction of a percent of the total spam broadcast needs a response to make it profitable, but how many people really buy toner cartridges from an e-mail?

Not only is spam a waste of bandwidth and system resources, but the purveyors of spam are getting better and better at delivering it-- dealing with it is a constant battle. Blacklist servers, gateway filters, and third party client apps can help cut down on spam, but something always seems to get through.

If all of that were not enough, spammers have now begun moving outside of e-mail, and are leveraging idiosyncrasies with other network services in order to push their content.

Direct Advertiser is one such marketing product. As reported last week, if you give this product an IP range, it will deliver your message directly to Windows users whether they want them or not. These are not e-mails -- these are pop-up message windows from the Messenger Service that deliver in-your-face spam right to the recipients interactive session. For the low low price of $700, you too can cheese your way into the spam market by delivering unsolicited advertisements directly to a user in the most irritating way yet.

A BETTER MOUSETRAP. Mind you, Messenger Service or pop-ups are nothing new. Many, many years back, we use to take perverse pleasure in scanning for open NetBIOS ports on unsuspecting machines, using "net send" to display a harmless "You hacked! All of your Base are belong to us!" message on the console, and watching for the panicked user to take the box offline. Hey, it was fun at the time.

Back then, you had to have open NetBIOS ports for that to work -- you had to be able to hit the box with TCP 139. While this is still an issue (unfortunately), it is not as common as it used to be. The difference with this product is that it uses UDP 135: the RPC endpoint mapper. This is the part that has stumped many sys admins, and I was a bit taken aback myself. I was well aware that one could message someone else over TCP 139, but I had no idea that you could invoke the messenger service via the end point mapper.

After a little experimentation, I found that the capability of using UDP 135 was built into "net send" all along.

If you have NetBIOS bound to your interface, someone using net send will, by default, pipe the message over SMB to TCP 139. But if NetBIOS is not bound to the interface, net send will use UDP 135 instead. It takes the "net" command a bit longer to figure this out, but it does work.

The Direct Advertiser product just skips the preliminaries, knowing that smart system administrators close TCP 139, and goes right for the undocumented back door.

That bugs me. It's not just that nobody knew that you could do it, it's that you can do it in the first place. The end point mapper is supposed to map clients to available RPC ports -- you should not be able control services via unauthenticated UDP packets.

Granted, you should not have UDP 135 open to the net anyway, but it is actually a quite common thing to see. The real question, which we should probably pose to Microsoft, is what other surprises are in store through this overlooked entryway into our systems? Dave Aitel of Immunity has already published a vulnerability where an unauthenticated attacker can disable the RPC service via UDP 135, thus crippling many other network services. It is reasonable to expect other issues in the future.

The lesson in both cases is to turn off services you don't need and to only allow required ports to be open. That way, when the spammers build a better mouse trap, you won't be the first to step on it.

SecurityFocus Online columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE