Detecting Windows Messenger Popup Spam

Spam is a pervasive problem on the Internet, and we are all feeling the effects of this scourge. One common way that spammers try to have their spam viewed by more people is by sending it directly through the Windows Messenger service. Although it is pretty useless to detect this traffic when it's coming from external networks (because each spam message can be spoofed and only a single UDP packet is required to transmit it unless the message is large), it can be important to detect it when it's coming from your internal network. Any system that is generating such traffic on your intranet may have been compromised and used to send spam by someone controlling the system from afar.

Because psad treats packets that are logged in the INPUT chain as having been directed at the home network (regardless of whether they come from internal addresses), the following signature detects Windows pop-up spam attempts when they are directed at the firewall (note at © the UDP with a destination port range from 1026 to 1029 at © and an application layer data size greater than 100 bytes with the psad_dsize test at ©).

alert Oudp $EXTERNAL_NET any -> $HOME_NET ©1026:1029 (msg:"MISC Windows popup spam attempt"; classtype:misc-activity; reference:url,; ©psad_dsize:>100; psad_id:l00l96; psad_dl:2;)

The log message shows how iptables sees a pop-up spam message attempt (note that the destination port is 1026 and the size of the UDP packet, including the 8-byte UDP header, is 516 bytes):

Jul 14 15:03:24 iptablesfw kernel: DROP IN=eth0 OUT= MAC=00:l3:d3:38:b6:e4: 00:90:1a:a0:1c:ec:08:00 SRC= DST=71.157.X.X LEN=536 TOS=0x00 PREC=0x00 TTL=117 ID=6090 PROTO=UDP SPT=3515 DPT=1026 LEN=516

psad notices the traffic and generates a syslog alert:

Jul 14 15:03:29 iptablesfw psad: src: signature match: "MISC Windows popup spam attempt" (sid: 100196) udp port: 1026

NOTE Although the previous examples have highlighted psad's Snort rule detection capability with an emphasis on rules that test packet headers, running fwsnort provides a huge improvement: The detection capabilities of psad are extended to include application layer data, as you'll see in detail in Chapter 11.

Was this article helpful?

0 0

Post a comment