Unsolicited Webpopups – the new Spam? (IE5.5)

Topic

New Reply

For the first time today a windows message box just popped up on my screen, offering me “University Diplomas” of my choice, to be delivered within a few days.
I was not surfing the web, nor using IE at the time. It just popped up. I have a permanent cable connection to the Internet. I have full Anti-Virus and Firewall software
operating. How can this be done? I know you can programme IE to bring up such a window when exiting a web page but I was not actually doing this at the time.
Can they put it on a time delay? The message box is worded to give you the impression it is a message sent directly to you, but it ain’t an email!
See attached file for screenshot.

Reply | Quote

Replies

[indent]

---

Can they put it on a time delay?

---

[/indent]Yes. In fact, many pop-ups now are on delay so that you are already at a different web site when they pop up. Insidious! You need a pop-up utility to stop these…antivirus & firewalls aren’t designed for this purpose. I’ve seen several people recommend pop-up stopper. I personally use AdSubstract Pro, which you can find at http://www.adsubtract.com/%5B/url%5D
Cheers,

Reply | Quote

Yes, I go tthe same thing last evening I don’t understand the comment about “time delay”. How would that work? What is the driver that makes the pop-up link work when IE is closed? Is there an Active-x or Java applet running in the background? If so, why wasn’t that piece of code closed when IE was closed? Something has to be running to cause something else to execute.

Seems to me that this is could be a very serious security problem.

Reply | Quote

That’s exactly what I believe. In my case IE was closed too. Some excecutable of some kind must be left behind.
What else could they leave behind?

Reply | Quote

Also, I am in Melbourne at GMT +10 HOURS. What time zone are you in? I notice that there is close to seven hours difference exactly between the times
displayed on the popup. It would be quite a coincidence that we both browsed the same webpage simultaneously wouldn’t it?
I am more in favour of the theory of some sort of internet broadcasting taking place.
ps I noticed the phone number is different. I actually phoned this number out of curiosity but now I wonder if it is one of those
numbers that charges you a fortune per minute because the voice at the other end was a very long winded voicemail message with many silly instructions.
Sort of like they were trying to keep you on the line…if you see what I mean.

Reply | Quote

I am in (GMT-08:00) Pacific Time (US & Canada); The area code on my pop-up (615) is for Tennessee. The 817 on yours is for Ft. Worth, TX.

Can you broadcast directly to an IP address? Even if you can, what is displaying the info on the screen? Why isn’t my firewall (ZA Pro) blocking this?

Reply | Quote

It happened again. This time the phone number is different. I had not been surfing for several hours.
Also, I activated the anti-popups feature in my Zone Alarm Pro. It made no difference.
One wonders what else they can do to your computer with whatever scripting they are using.

Reply | Quote

You have some sort of spyware (or adware) running on your computer. Download a prgram called StartupList and paste the entire contents of the text output here for us to look at.

http://www.lurkhere.com/~nicefiles/%5B/url%5D

Reply | Quote

That’s strange. I have RegRun Security suite installed which is supposed to prevent that kind of thing I thought. Maybe the Spyware is masquerading as something
else that I have approved in RegRun when the warning came up?
Anyway, here is the attached list from StartupList…(attached).
Thanks, I’d be keen to hear what you think.

Reply | Quote

post 187814 basically states to me that there doesn’t have to be an executeable running in the background. Windows can retain the command in memory all by itself, and spawn the message after any programmed interval. You Could use Filemon to monitor processes on your machine, if you want to verify this, but I would think that Windows is acting all on it’s own here, with a slight push from the questionable site in question.

Reply | Quote

Well, your computer is fairly clean. I can make a few recommendations on your list — but first let’s fix your problem.

I disagree that this is something that Windows can “retain in the memory”. I also disagree that this is some delayed Internet Explorer Popup. The title bar clearly shows this is not Internet Explorer — it says “Messenger Service”. However, this is also not something that is due to an executable running on your system. This is a gift from Microsoft. The key is in the title bar — Messenger Service.

This is apparently due to a “Service” that Win2K runs — eh, called Messenger Service. This service is connected to the Internet with an OPEN port and can be seen by running the “netstat -an” command in a cmd Window.

It appears the message comes via the “RPC endpoint mapper” through port UDP-135 — which lives in “rpcss.dll”. I have to run, but a quick MSKB article on this service is here:
http://support.microsoft.com/default.aspx?…b;en-us;Q168893%5B/url%5D

Reply | Quote

I’ve turned off the Messenger Service – setting it to ‘disabled’.
Those recommendations about my system would be appreciated if you have the time.
Thanks

Reply | Quote

Umm, did you guys read my post 187817 above? Did you turn off the MESSENGER SERVICE?????

Reply | Quote

*Excessive Verbosity Warning*

I saw — eh, actually read — your post after I had posted my findings! I was working at this from a different angle. I downloaded the StartupList text file and went through it as I drove home from work. When I found nothing on major importance (no bad looking .exe or other Startup item), I focused my attention on the Windows title bar and searched elsewhere on the Internet for answers. I was rushing (with my wife yelling to help with put the kids to bad!) as I reported back what I found. So, no, I did not read your post until this AM!
_____________________________________

Here is some more information:

1) As above, the scripts appear to be sending these popups though udp/135 (Microsoft RPC mapper). If you can block UDP port 135 with your firewall, you should be able to prevent these messages.

2) **Disabling Messenger may not be appropriate in some situations**, for example, if you are depending on Messenger alerts from other applications (e.g. Anti-virus, SQL Server Job Scheduler, etc…). If you require Messenger, then you should instead use a firewall to block access to TCP and UDP port 135.

3) If you are using a firewall (such as ZAPro, in this case), then *you* are likely (in part) responsible for allowing the Messanger Service to work. For this to get through Zone Alarm, you had to allow *server rights* for “generic host proccess”.

4) Several articles (such as the one from TechTV) incorrectly state this is a port 137-138 (NetBios over TCP/IP) problem — but that appears to be incorrect. Blocking ports 137-139 do not (apparently) prevent this attack. This is a problem with and the RCP mapper (Remote Procedure Call – DCE endpoint resolution) port 135 being kept open.

5) Net SEND is using UDP port 135 to “map” what higher numbered ports are open, and then sending the Messages through the higher numbered ports.

6) SVCHOST.exe is apparently the running process that is keeping the mapper port (135) open and allowing this to occur. If you prevent SVCHOST from acting as a server, this should close port 135 — and the Messages should be blocked. In the words of WildCatBoy:

“Disallowing SVCHOST to accept connections (In ZA terms denying it server access) will assure that Net Send commands from outside your Network will never get to you.”

This is a better solution than shutting down the Messenger service all together. Another quote from WildCatBoy:

“I personally don’t think disabling the messenger service is the way to go. Messenger service in NT based systems is not just used for Net send commands. There are other implications. For example any application that uses the feature could be crippled. One example would be your virus scanners. They would still most likely work but you may never get the pop up alert when it detects a virus.

I know for a fact that on my W2K server,if the messenger service is disabled, McAfee no longer alerts you when it finds a virus. This can affect a number of applications.

The right way to go about this IMHO is having a firewall. Your well configured firewall easily protects you from those pop ups.

I can bet that those of you with a firewall who still get those pop ups must have allowed SVCHOST (Generic Host process for W32 services) to go out and accept calls.”
_____________________

Here is the Wired article on this subject:
Spam Masquerades as Admin Alerts

They say:

“A new breed of pop-up ads is appearing mysteriously on Microsoft Windows users’ computers. The so-called “Messenger spams” have security experts and system administrators scratching their heads — and recipients fuming.

Some of the ads, which hit Windows systems through backdoor networking ports and not by e-mail or Web browsing, appear to have been generated by Direct Advertiser, a $700 software program developed by Florida-based DirectAdvertiser.com.

By tapping into Messenger, a Windows service originally designed to enable system administrators to send messages to users on a network, Direct Advertiser can deliver “completely anonymous and virtually untraceable” ads “straight to the screen of your client,” according to the company’s website.

“Now somebody on the other side of the world can sit there and pop up messages on your screen,” said Gary Flynn, a security engineer at James Madison University, where users have recently reported receiving pop-up spam selling university diplomas…..”

Besure to check out the link just above as well — which also describes the “party line” method to turn off the Messenger Service.
__________________________

This is a more technical article that describes how to turn off various Win2K/XP services. This is certainly not for everyone to read. Look specifically for information on the RPC mapper and port 135.
__________________________

Lastly (I swear!), here is a quote from Ackerman’s site:

“NET SEND on Windows

There has been a recent (2002-10-11) upsurge in NET SEND spam. This will pop up a window on a Windows machine, using the Messenger Service (note this is different from Windows or MSN Messenger, it’s a low-level service built-in to the Windows operating system).

The recent messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution). That tells what high-numbered port the Messenger Service is listening on. The best way to stop this is to permanently disable the Messenger Service. You may also want to block port 135. I have also included information about Microsoft Distributed COM (DCOM), which uses port 135….”

Reply | Quote

“downloaded the StartupList text file and went through it as I drove home from work”

Jeez, I hope you were the passenger, not the driver!!!!!!!

Bob

Reply | Quote

I drive in 2 mph gridlock traffic with plenty of “down time”. I could read War & Peace driving home! ;-]
___________________

Lawrence (MyNetWatchman) deserves a lot of credit for discovering this ‘issue’. He has gone into even detail on how this works here:
http://www.mynetwatchman.com/kb/security/a…pam/netsend.htm%5B/url%5D.

Just in case some one wants EVEN MORE information!

Reply | Quote

Edited by WyllyWylly to add URL code. See the Quick Guide.[/i][/size]

Enter this into Google:
“messenger service” +diplomas +popup

There are some threads on this problem. Below is a good explanation and solution.
———————————————————————————-
http://mattdrury.net/showfile.asp?which=messpam.txt%5B/url%5D

MattDrury.Net | Protect Yourself.

——————————————————————————–
Mmm, messenger spam | Home

——————————————————————————–

If you’re running Windows NT, 2000 or XP, aren’t you in for a treat. Spammers can now stick their tripe on your screen as if Windows was alerting you to something important.

“Messenger spam” uses what’s called a Service in NT-based operating systems – something that loads when Windows starts and sits behind the scenes doing its job. This isn’t the same as Instant Messaging, Yahoo or MSN Messenger or any other chatty programs; this is something Windows has as part of its operating system.

Normally the messenger service for handy things like your printer letting you know it’s out of paper, or the guru at your office alerting you to server maintenance, but spammers have begun using this as another way to annoy you with their tripe, sometimes phrased as if it’s a system message to increase its perceived importance.

Fortunately, it’s easy to stop messenger spam in its tracks. You can do it one of two ways:

1a. NT/2000 users: Choose Start, Settings, Control Panel. Click on Administrative Tools, then Services. Scroll down until you see “Messenger.” Right-click on it and choose Stop. Let it do its business. Then right-click on it again and select Properties. Change “Startup Type” to “Disabled” and choose OK.

1b. XP users: Choose Start and open the Control Panel. Choose Performance/Maintenance, Administrative Tools, then Services. Scroll down until you see “Messenger.” Right-click on it and choose Stop. Let it do its business. Then right-click on it again and select Properties. Change “Startup Type” to “Disabled” and choose OK.

2. If your firewall blocks port 139 you’re golden. Zone Alarm’s free version does this and you can score a copy at http://www.zonelabs.com – it’s worth having for a variety of reasons, this being one of them. Folks who work in companies who need messenger support in-house but not from the Net in general should ask their netadmin for tweakin’ help.

——————————————————————————–
Read 119 times | Return to MattDrury.Net | Donate
——————————————————————————–
Copyright

Reply | Quote

Thanks for that information – it is all VERY interesting…sort of.
It seems that Microsoft is the biggest perpetrator of spam and internet insecurity.
I have disabled the messenger service as explained but was wondering if this will disable
normal system messages?

Reply | Quote

Am I interpreting your post correctly that if I disable messenger, Windows won’t be able to give me the warning about printer out of paper and other such (non-spam) messages?

(I would like to figure out how to cause all the spammers to have something they enjoy doing constantly interrupted by something they don’t care about and would rather not deal with!)

-cynthia

Reply | Quote

It really depends on the type of printer and what mechanism it uses to notify you. If the printer uses the “Alerter” or “Messenger” Services, then shutting down the Messenger Service will disable this….

Reply | Quote

Thanks.
I now realize that question was answered earlier in the thread – I overlooked a couple pages when I read it yesterday – But thank you for the three new concise replies to this question. This stuff DOES get dense for us non (or merely semi)-techies, as has also earlier been observed!

-cynthia

Reply | Quote

[Edited by Leif to correct minor error in URL]

I received a link to this page from TechTV – Spam Takes New Form The messenger service built in to WinNT/2K/XP allows unscrupulous spammers to use the command-line command NET to send a spam message directly to your IP address and have your system deliver the message automatically. I highly recommend reading this article.

Reply | Quote

Thanks, now I know what is happening.
It is pretty much what I first suspected – abuse of a Windows feature.

Reply | Quote

Abuse yes, but I think perhaps that disabling the messenger service could be verging on overkill? Some of the reading I was able to get in suggests that the messenger might be vital to some other programs, such as antivirus – and I don’t think we want to miss any of those type of messages. I installed the free version of ZoneAlarm tonight and within 10 minutes of dialing up ZA had stopped an attempt to hit me with one of these popups. I even followed through on ZA’s “more info” and it turns out that this supposedly hard-to-trace attack left considerable information behind.

Reply | Quote

The complete information on this is still being worked out (Thursday AM). David shows that NetBT (NetBIOS over TCP/IP) can be used in this “attack”. (For the time being I will consider this an attack because these specific messages are unwanted spam for most of us).

YES –as I quoted WildCatBoy above in my diatribe — “Killing the Messenger” may disable some very important functions. I would recommend AGAINST the reports out there that say the solution is to shut down the Messenger Service. However, most people ARE recommending that — and that is exactly how this problem has been “solved” in this thread. Well, most people may just be wrong…
___________

All you really need do is prevent incoming Internet UDP packets from reaching the Messenger Service — and this SHOULD be possible with an appropriately configured firewall. There is more to it than originally meets the eye…

Apparently the “DirectAdvertiser application” (the program on the other end responsible for this messages) is quite smart. It initially tries to send the messages via NetBT. That is exactly what David shows being blocked above. Port 137 is the “NetBios Name Service” port. [If you ever read any of Steve Gibson’s page, he will tell you that this port should likely be closed to the Internet on most computers.] Because of Steve (and others), many users have closed this port — and thereby preventing this method of attack.

This is where the DirectAdvertiser program gets real smart. If it finds it cannot get to the Messenger Service via NetBT (port 137), it switches to using the Remote Procedure Call method — and port 135.

Port 135 is apparentaly held open on WinNT-XP boxes through either svchost.exe or services.exe. If you have granted “server permisions” to either of these, then you have potentially opened the door for these Messages — even if you have closed the NetBT ports 137-139.

Again, this is still a work in progress and all the details are still being hammered out. I will keep anyone interested informed. Cheers.
___________________

Addendum: Good news from Lawrence (myNetWathman):

“I noticed that all the ev1.net IPs that were sending the initial stream of popups were no longer pingable.

Just got off the phone with the abuse guy he indicated they were all shut down for violation of AUP (Acceptable Use Policy).

Some how I think DirectAdvertiser will be deluged with refund requests today. ”
__________________

So it seems the source of these ads has been squelched — for now!!!

In case anyone is interested in more followup, here is an article on the issue today:
http://news.com.com/2100-1001-962483.html?tag=fd_top_1%5B/url%5D
Notice that Lawrence gets quoted in that story as well! ;-]

Reply | Quote

Thanks for your information.

Working together answered a lot of questions and provided the solution!

btw: Yes, I had enabled svchost through ZA. It sounded like something I should allow . Oops. I’ve removed server rights from this now…

Reply | Quote

How do we non-techie types know how to answer those firewall questions anyway? Is there a place where we can go to get the right answer when Zone Alarm asks those permission questions? I’m the last person it should be asking. I’d need something that explains “when you’re using this program and you’re doing abc, then give it this permission, else if you’re doing def, give it this permission, …”.

Reply | Quote

Wendy,

Might I be so bold as to say “start at the Lounge?” Probably the best thing to do is to allow the program asking for permission one-time access, writing down the name of the program, and then posting something here.

Zone Labs and the other firewall manufacturers touch on some of this, but don’t explain it as well as I think they should. Sadly firewalls are innately difficult things to understand anyway, but with a gang of Loungers I bet we can make sense of some of the important things!

Reply | Quote

>How do we non-techie types know how to answer those firewall questions anyway? Is there a place where we can go to get the right answer when Zone Alarm asks those permission questions? I’m the last person it should be asking. I’d need something that explains “when you’re using this program and you’re doing abc, then give it this permission, else if you’re doing def, give it this permission, …”.<

Zone Labs has a really good PDF help manual available for downloading. It's much better than the help file. This was not included my original download, so I had to go to the website to do the download. Hopefully, the link below will get you there (It's for ZA Pro 3.1). If not go to the Service & Support section of the website and click on your version. On the right hand side is Technical Resources section. Click on "Browse Product Help Files".

http://www.zonelabs.com/store/content/supp…09957!7511!7512

Reply | Quote

I agree with all the above statements. My theory is: When in doubt, DENY the program access — and see what you cannot do. Alternatively, give the program one time access. If it keeps asking for access, then you will have to decide if you want to give it full access based on what it does for you.

Ask here if you have questions about specific programs / applets. There are plenty of users who NEVER give any program full access — they even require IE and Outlook Express to ask for permission each and every time. That is probably overkill, but this is a personal decision one must make. Grant it, there is no ‘guide to making security decisions’ — this is because 5 people will give you 10 different answers…

Reply | Quote

I was sent this “spam” or semi spam from Coffee Cup software.
I think it might be of interest – you can ignore the commercial content.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello,

There is an ominous new way to send you ads and popups that
does not use E-mail or a Browser. They are called DirectAds.
DirectAds are “completely anonymous, virtually untraceable,
and can pop up on your computer at any time”.

Stop these ad attacks before they start with
CoffeeCup DirectAd Blocker.

=> http://www.coffeecup.com/blocker/

As reported on CNN this week:

“A developer of bulk-mail software has figured out how to blast
computers with pop-up spam over the Internet through a
messaging function on many Windows operating systems. But there’s
a difference: Anyone can send the messages, and there’s
no need for the user to have an Internet browser open…….”
(rest of the story on our site)

CoffeeCup DirectAd Blocker finds the faults on your system that allow
this type of message and blocks them, effectively stopping DirectAds
from invading your computer for good. There is more information on
our site for you to check out.

http://www.coffeecup.com/blocker/

Reply | Quote

Hi, Dave ~

Regarding your post 189087, I was unable to locate this window. How/where did you pull this up please?

Reply | Quote

To get this information, I went to ZoneAlarm’s ‘Alerts and Logs’ screen, highlighted the alert in question, clicked on the ‘More Info’ button at the bottom of the screen (which opened up my browser to fwalerts.zonelabs.com), and then went to the ‘Technical Info’ tab on the screen.

Reply | Quote

David ~

Right on!

Reply | Quote

Edited by WyllyWylly to add URL code. See the Quick Guide.[/i][/size]

One cheap solution is to get the host file from the packagers of http://kazaalite.com. The file sets hundreds of commercial urls to 127.0.0.1. The popups still open but they open faster and to nothing. The one problem I had with the solution is some useful servers, like the ones on yahoo serving up news, would get blocked. So I took out the hosts file. But I’m getting annoyed of them again, and I may go back and just comment out the few servers that are useful to me.

Another solution is http://spyblocker.com[/url%5D.

Reply | Quote

That is not the solution to this problem. Spyblocker blocks Popups in Internet Explorer. This issue is completely separate from IE. This involves the Messenger Service that is installed on Win2K-XP computers.

The MSKB link on this is here:
Q330904: Messenger Service Window That Contains an Internet Advertisement Appears

Reply | Quote