Re: CRIME MS Messenger Vulnerability

From: Jeff Bryner (jbryner1@private)
Date: Wed Sep 10 2003 - 15:08:53 PDT

Next message: Zot O'Connor: "CRIME [Fwd: Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)]"

Previous message: Seth Arnold: "Re: CRIME MS Messenger Vulnerability"
In reply to: Solomon, Charlie: "CRIME MS Messenger Vulnerability"
Next in thread: Duane Nickull: "Re: CRIME MS Messenger Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you really want to track it down, you could capture some net traffic
in and out of that machine that displays the messages/symptoms and see
where it's coming from...

Jeff
CISSP, GCIH

--- "Solomon, Charlie" <clsolomon@private> wrote:
>     We've all long since heard about the MS Messenger service
> vulnerability
> whereby computers running the service that are directly connected to
> the
> Internet get hit with Messenger popup ads for University of Phoenix
> or other
> garbage.
>  
>         I've got a site that's using a Sonicwall firewall with no
> ports open
> and specifically has cleared the checkbox for 'Allow NetBIOS from LAN
> to
> WAN".  One of those users at that site is getting a popup when the
> machine
> is booted up that says 
>  
>         From machinename To machinename
>                 A virus has been detected.  Please contact your
> administrator.
>  
>         I've had 2 people tell me that Messenger-spammers are very,
> very
> clever and have found a way through firewalls and Sonicwall in
> particular.
> Admittedly, this machine did have the Messenger service running, but
> I'm
> more concerned about this supposed hole that exists.  Has anyone
> encountered
> this?  Can anyone point me to a published article?  Or does this have
> more
> to do with the phase of the moon or the descension of Mercury?  Would
> a
> smudge stick and incense near the firewall help in this instance? 
> ;-)
>     I really don't believe that this is causing these popups for a
> couple of
> reasons:  (1) It started shortly after I installed Panda Antivirus
> Platinum
> 6, and (2) This popup doesn't advertise anything, doesn't vandalize
> anything, it doesn't even do a very good job of being scary.  I think
> it's
> just a poorly worded warning from Panda.
>  
>  
>  
>  
> Charlie Solomon
> Director of Information Systems
> Oregon Rail
> 503.265.5568
>  
>  
>  
>  
> 


=====
Jeff

The Germans have done for the consonant what the Hawaiians have done for the vowel--Leo Kottke

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Next message: Zot O'Connor: "CRIME [Fwd: Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)]"
Previous message: Seth Arnold: "Re: CRIME MS Messenger Vulnerability"
In reply to: Solomon, Charlie: "CRIME MS Messenger Vulnerability"
Next in thread: Duane Nickull: "Re: CRIME MS Messenger Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 16:50:08 PDT