MS Messenger Messages Sent via DCE-RPC

Attack ID:	CPAI-2003-17

Publish Date:

Last Update:

Category:	Social engineering attack

Vulnerable Systems:	Microsoft Windows NT4 Microsoft Windows 2000 Microsoft Windows XP

Source:	http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm http://news.com.com/2100-1001-962483.html

Description:	The Microsoft Messenger service is used to send messages to other computers on the network. However, it can be abused to 'spam' using popup messages. The service usually communicates using SMB/NetBIOS. However, if the target computer has not registered its messenger service (NetBIOS suffix 3), it will try to communicate via DCE-RPC. Therefore, in order to completely block this attack, it is required to block both SMB/NetBIOS and DCE-RPC.

Severity:
	This is a social attack, that can be used by an attacker to launch other attacks.

Details:	The Microsoft Messenger service is used to send messages to other computers on the network. It was recently used, however, as a 'spam' tool, sending unwanted popup & advertisement messages. The attacker first checks if the target computer has registered its Messenger service in the NBT name table. The messenger service uses no. 3 for registration (http://jcifs.samba.org/src/docs/nbtcodes.html). If it is registered, the message is sent using SMB/NetBIOS. However, if the messenger service is not registered, the client will try to send the message via DCE-RPC interface. The DCE-RPC interface ID 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc is used for MS Messenger. The attached update blocks this interface, thus completely blocking MS Messenger services.

Attack Detection:	Using the SmartView Tracker, identify dropped logs info: DCE-RPC Interface UID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc

Solution:	Security Administrators managing NG with Application Intelligence: Update SmartDefense to the latest update. This will add the service MSMessenger to the DCE-RPC services. Using this service, you will be able to granularly block this service while allowing other legitimate DCE-RPC sessions to pass. Block popup messages delivered via SMB/NetBIOS by checking in 'Block Popup Messages' under Application Intelligence->Microsoft Networks in the SmartDefense tab. Security Administrators managing NG Feature Pack 3: Download the attached file (200317.dbe MD5:1b2963bbbbf302591aeaea86e653a127) to your SmartCenter server, and run the command 'dbedit f 200317.dbe'. This will automatically insert a new DCE-RPC service called 'MSMessneger'. Alternatively, you can create manually a DCE-RPC service called 'MSMessenger' (from the Manage menu, Services->New->DCE-RPC). Enter the Interface UUID 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc. Using this service, you will be able to granularly block this service while allowing other legitimate DCE-RPC sessions to pass. In order to effectively use the service in the rulebase, follow these guidelines: If you wish to enable specific DCE-RPC service(s), perform the following operations: Define a rule with the specific DCE-RPC service(s), with Action ''Accept''. Immediately under that rule, define the MSMessenger service in a rule with Action ''Drop''. If you wish to enable all DCE-RPC services (using the ALL_DCE_RPC service, available in NG with AI R54 and above) except MSMessenger, perform the following operations: Create a new DCE-RPC service with a non-existing UUID (for example, 12345678-1234-1234-1234-123456789012). Create a new rule, using this non-existing DCE-RPC service above all other rules with DCE-RPC services, with Action ''Accept''. Immediately under that rule, define the MSMessenger service in a rule with Action ''Drop''. Define a rule with the ALL_DCE_RPC service, with Action '' Accept''.

Industry Reference:

Additional Information:	Microsoft information: http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;330904