[ISN] Spam Masquerades as Admin Alerts

From: InfoSec News (isnat_private)
Date: Wed Oct 16 2002 - 00:24:08 PDT

  • Next message: InfoSec News: "[ISN] Celebrity 'phone hacking' on the increase"

    By Brian McWilliams
    Oct. 15, 2002 PDT
    A new breed of pop-up ads is appearing mysteriously on Microsoft
    Windows users' computers. The so-called "Messenger spams" have
    security experts and system administrators scratching their heads --
    and recipients fuming.
    Some of the ads, which hit Windows systems through backdoor networking
    ports and not by e-mail or Web browsing, appear to have been generated
    by Direct Advertiser, a $700 software program developed by
    Florida-based DirectAdvertiser.com.
    By tapping into Messenger, a Windows service originally designed to
    enable system administrators to send messages to users on a network,
    Direct Advertiser can deliver "completely anonymous and virtually
    untraceable" ads "straight to the screen of your client," according to
    the company's website.
    "Now somebody on the other side of the world can sit there and pop up
    messages on your screen," said Gary Flynn, a security engineer at
    James Madison University, where users have recently reported receiving
    pop-up spam selling university diplomas.
    The Messenger service, not to be confused with Microsoft's MSN
    Messenger chat client, is enabled by default on Windows 2000, NT and
    XP systems, according to Lawrence Baldwin, operator of the
    myNetWatchman computer intrusion reporting service. Baldwin said
    potentially millions of systems may be vulnerable to the pop-ups, also
    known as "NetBIOS Spam."
    According to DirectAdvertiser.com's lead developer Lenard Iszak, the
    program can generate about 5,000 pop-up messages per hour, hitting
    more than one recipient per second. A demonstration of the Direct
    Advertiser software enables users to target a range of Internet
    addresses, such as those assigned to a specific ISP or a particular
    Zoltan Kovacs, founder of DirectAdvertiser.com, said the company has
    sold about 200 copies of the program since launching two months ago.  
    According to Kovacs, the software is ideal for advertising 900-number
    and other telephone services.
    "I have customers who call me back and tell me they love it and it
    generates hundreds of calls right away," said Kovacs, who noted that
    Direct Advertiser is a good alternative to bulk e-mail because its
    messages are not regulated by spam laws.
    According to Flynn, many network administrators are puzzled over how
    the ads have weaseled through firewalls onto users' computers. While
    Windows Messenger traditionally uses commonly protected ports 137 and
    139, Flynn said the recent pop-ups appear to use port 135, which is
    often left unprotected by a firewall because it's a vital conduit for
    communicating with a Microsoft service called RPC.
    Since mid-September, numerous myNetWatchman participants have received
    repeated probes on port 135 from a handful of Internet protocol
    addresses assigned to Everyones Internet (EV1.net), an Internet
    service provider in Houston, according to Baldwin. The numeric
    addresses translate into "NetBIOS machine names" that begin with
    WEBPOPUP and that have appeared in several recent ads, he said.
    EV1.net officials, who did not respond to interview requests, are
    investigating the issue, according to Baldwin.
    Now that spammers have pioneered the Windows Messenger technology,
    worm writers may be next to target the service, according to Harlan
    Carvey, a security engineer with a financial services firm.
    "I'm sure we're going to see spyware or malware that makes use of
    this," Carvey said.
    Carvey and other security experts said users can protect themselves
    from unwanted pop-ups by disabling the Windows Messenger service
    and/or properly configuring their firewalls.
    According to Kovacs, he hasn't promoted Direct Advertiser aside from
    touting it in a link from the control panel of StealthMail Master, a
    program he also markets that promises to hide bulk e-mailers' IP
    In December 2001, DirectAdvertiser.com's Iszak lost a dispute with
    America Online over the domain ICQmultipager.com. According to an
    archive of the site, ICQ MultiPager enabled users to broadcast ads to
    users of AOL's ICQ chat service.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 03:40:34 PDT