Re: CRIME MS Messenger Vulnerability

From: Duane Nickull (duane@private)
Date: Wed Sep 10 2003 - 16:26:07 PDT

Next message: Crispin Cowan: "Re: CRIME SecureWorld Seattle September 24 & 25"

Previous message: Zot O'Connor: "CRIME [Fwd: Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)]"
In reply to: Solomon, Charlie: "CRIME MS Messenger Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Charlie:

My experience (much more limited than other on this list) is that the 
behaviour you are experiencing may be due to a program that resides on 
the local machine.  If it is windows, check out the services that are 
running and look for suspicious programs such as "save.exe".

These programs make a http get() request at regularly timed intervals 
(some advanced ones are actually triggered by user events) to retrieve 
material to display in a pop-up ad.  The communication is synchronous in 
nature (the pipe stays open until the get() request is complete) and 
since most firewalls are configured to allow the local machine to make 
http/s get() requests, they are not affected. Since the javascript 
command to popup() a windwo is local, the firewall does not stop it.

If the machine has a copy of Messenger, Kazaa or other free goodies, 
there is probably an ad program attached that was installed at the same 
time.

Duane Nickull

Solomon, Charlie wrote:
>     We've all long since heard about the MS Messenger service 
> vulnerability whereby computers running the service that are directly 
> connected to the Internet get hit with Messenger popup ads for 
> University of Phoenix or other garbage.
>  
>         I've got a site that's using a Sonicwall firewall with no ports 
> open and specifically has cleared the checkbox for 'Allow NetBIOS from 
> LAN to WAN".  One of those users at that site is getting a popup when 
> the machine is booted up that says
>  
>         From machinename To machinename
>                 A virus has been detected.  Please contact your 
> administrator.
>  
>         I've had 2 people tell me that Messenger-spammers are very, very 
> clever and have found a way through firewalls and Sonicwall in 
> particular.  Admittedly, this machine did have the Messenger service 
> running, but I'm more concerned about this supposed hole that exists.  
> Has anyone encountered this?  Can anyone point me to a published 
> article?  Or does this have more to do with the phase of the moon or the 
> descension of Mercury?  Would a smudge stick and incense near the 
> firewall help in this instance?  ;-)
>     I really don't believe that this is causing these popups for a 
> couple of reasons:  (1) It started shortly after I installed Panda 
> Antivirus Platinum 6, and (2) This popup doesn't advertise anything, 
> doesn't vandalize anything, it doesn't even do a very good job of being 
> scary.  I think it's just a poorly worded warning from Panda.
>  
>  
>  
>  
> Charlie Solomon
> Director of Information Systems
> Oregon Rail
> 503.265.5568
>  
>  
>  
>  

-- 
Yellow Dragon Software Corporation
Service Oriented Architectures - ebXML, Web Services, Registry, SOAP
Registry, Messaging and CPA Downloads - http://www.yellowdragonsoft.com
+1 (604) 738-1051
***********************************

Next message: Crispin Cowan: "Re: CRIME SecureWorld Seattle September 24 & 25"
Previous message: Zot O'Connor: "CRIME [Fwd: Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)]"
In reply to: Solomon, Charlie: "CRIME MS Messenger Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 16:59:13 PDT