"NET SEND" SPAM- a New Headache

"NET SEND" SPAM- a New Headache



Background:

A member of your forum posts this message and the screen shot of the popup...

"I have no messenger running. I have scanned with ad-aware and norton anti-virus and nothing came up. So how and what program caused this ad to just pop up on my screen?"

(see here)
http://www.dslreports.com/forum/remark,4675583~root=security,1~mode=flat

About the same time, another member is experiencing the same problem....



http://www.dslreports.com/forum/remark,4675858~root=security,1~mode=flat


It appears that Spammer have found a trick and exploiting it
big time and here is some background:

__________________________
Spam Takes New Form



By Kevin Rose


When you think of spam, you normally think about those annoying unsolicited email messages you receive in your inbox. But there's a new form of spam that's coming your way and you don't need to have an email account, chat client, or Web browser to receive it. All you need in order to be spammed is Windows XP, 2000, or NT and an Internet connection.

This new form of spam is called messenger spam. Messenger (not to be confused with MSN messenger) is a service that is loaded by default upon the startup of Windows XP/2000/NT. Microsoft has used the messenger service for a number of years to send messages between its servers and clients. Here is Microsoft's official description of the messenger service:



Messenger Service:
Transmits "net send" and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.

What is this messenger service and why is it spam? The easiest way to explain it is to show you the ethical and non-ethical ways of using the messenger service. The ethical use turns the messenger service into a handy tool for system administrators. They can monitor servers and send out status pop-ups if a problem occurs. See an example by clicking here.


The non-ethical use of the messenger service turns it into an untraceable spam tool. As you can see in this example, the sender has changed the computer name to "VirusScan." This fools the end user into believing it is a message from his or her antivirus program. The message also refers the user to a website, and as you can probably guess, it's not an antivirus website.


The problem here is that anyone can send messages though the messenger service, not just system administrators. The command to send a message is called "net send" and can be executed from the command prompt with the following syntax.


Spammers will automate this process using batch files so that they can send hundreds of messages per hour (see an example).


You're probably saying to yourself, "No one knows my IP address. I'm safe." Not true. You and your hidden messenger service can easily be detected by running a simple port scan across a range of IP addresses. The messenger service is part of the Netbios service that runs on TCP port 139. To detect potential targets, the spammer will scan IP addresses with port 139 open. To demonstrate this, I downloaded an application named SuperScan and scanned 131 IP addresses for the open port 139. Click here to see a screen shot of my results.


Out of 131 computers, 42 of them were open for attack. Using this method thousands of open IP addresses can be harvested and spammed per hour.


Stop the spam

Fortunately there is an easy way to protect yourself; you must turn off the messenger service from within XP/2K/NT. Remember, if you are behind a firewall/corporate network you are most likely safe (as long as port 139 is blocked). Always check with your system administrator before making any changes to your services.


To turn off the messenger service in XP:


Click on the Start button and open the control panel.
Open the Performance and Maintenance control panel and go to Administrative Tools.
Now double-click on Services, then scroll to Messenger.
Double-click Messenger and click Stop to stop the service.
Change the startup type to Disable (see an example).


http://www.techtv.com/screensavers/answerstips/story/0,24330,3374542,00.htm
___________________________________

HOW IS ALL THIS HAPPENING

Welcome to the little know area of ........




Windows 2000 TCP/IP


NetBIOS Over TCP/IP
The Windows 2000 implementation of NetBIOS over TCP/IP is referred to as NetBT. NetBT uses the following TCP and UDP ports:

UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)
NetBIOS over TCP/IP is specified by RFC 1001 and RFC 1002. The Netbt.sys driver is a kernel -mode component that supports the TDI interface. Services such as workstation and server use the TDI interface directly, while traditional NetBIOS applications have their calls mapped to TDI calls through the Netbios.sys driver. Using TDI to make calls to NetBT is a more difficult programming task, but can provide higher performance and freedom from historical NetBIOS limitations.

NetBIOS defines a software interface and a naming convention, not a protocol. NetBIOS over TCP/IP provides the NetBIOS programming interface over the TCP/IP protocol, extending the reach of NetBIOS client and server programs to the IP internetworks and providing interoperability with various other operating systems.

The Windows 2000 workstation service, server service, browser, messenger, and NetLogon services are all NetBT clients and use TDI to communicate with NetBT. Windows 2000 also includes a NetBIOS emulator. The emulator takes standard NetBIOS requests from NetBIOS applications and translates them to equivalent TDI functions.

Windows 2000 uses NetBIOS over TCP/IP to communicate with prior versions of Windows NT and other clients, such as Windows 95. However, the Windows 2000 redirector and server components now support direct hosting for communicating with other computers running Windows 2000. With direct hosting, NetBIOS is not used for name resolution. DNS is used for name resolution and the Microsoft networking communication is sent directly over TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP port 445 instead of the NetBIOS session TCP port 139.

By default, both NetBIOS and direct hosting are enabled, and both are tried in parallel when a new connection is established. The first to succeed in connecting is used for any given attempt. NetBIOS over TCP/IP support can be disabled to force all traffic to use TCP/IP direct hosting.

To disable NetBIOS over TCP/IP support

(see here for more)

http://www.microsoft.com/windows2000/techinfo/reskit/en/cnet/cnbc_imp_wcug.htm

 

Hi John!

Another way to discipline your Netbios, at least for NT, is to use Network Bondage from Steve Gibson's Shields Up! website. Link below:
http://grc.com/su-bondage.htm

(Perhaps someone should ask him if this could be provided also for Win 2K and XP?)

Best regards from Larry!

 

Hi Prince_Serendip

In WinXP, it takes just a few clicks to go to the Advanced properties TCP/IP WINS an tick "disable NetBIOS from TCP/IP

Cheers,

 

Hi JacK, i'm going to give you the typical newbie-XP-home-user's version of disabling NetBIOS = "huh?"

j/k! but that's pretty darn close to what most might say who are new to the net AND starting off with XP. i know i was struggling with trying to understand why my software firewall (Sygate) was blocking all these "outgoing" broadcasts to 137 and 138 (not one incoming though on my router's log), and i knew it had something to do with NetBIOS, but not completely sure....and definitely NOT sure what disabling it would involve or the effects it would have.

i was finally able to understand it enough with the help of LowWaterMark's instructions....he just explained it in such a way that it all "clicked" and i was able to go through it step-by-step and disable it, with full confidence that if i needed to re-enable it for any reason, i can retrace my steps and do that too.

i just checked the Messenger in Services and it is disabled, but i would not have linked it to disabling NetBIOS.....partly because MSN Messenger and windows Messenger make it more confusing...and partly because i wasn't all that sure exactly what NetBIOS did.

disabling NetBIOS got rid of these listening:

System: 4 TCP microsoft-ssn (139)
System: 4 UDP netbios-ns (137)
System: 4 UDP netbios-dgm (13

LowWaterMark - thank you so much for your help! You've got a dozen karma-cookies coming your way!

snap

*amended spelling of NetBIOS - writes note to self to study computer terminology and SPELLING of it

 

Totally disable Messenger. You find it in control panel >
services > Messenger.
If you are on a windows 2000 network, remove NWLink from all computers' network properties.

 

Here's a quick way to get rid of it from the command prompt:

Use these commands:

sc config messenger start= disabled
sc stop messenger


(Keep spacing)

First one disables the autorun of the service, second one stops it.

No more net send spam

 

Re: "NET SEND" SPAM- a New Headache

What if a dull friend of mine already spammed me with net send messages, how can I remove them without having to click them all?

 

Re: "NET SEND" SPAM- a New Headache

Firewalls have the capability to BLOCK Windows Messenger spam.

 

Re: "NET SEND" SPAM- a New Headache

Please also have a look here:

http://www.firewallleaktester.com/wwdc.htm

 

Re: "NET SEND" SPAM- a New Headache

If you have a good firewall protecting your computer, and ALL ports are STEALTH, then you are already very safe from most of the current threats.