Messenger Service

[William C.]

Some of my Win2k server & WinNT server sometime pop-up with a "Messenger
Service" with the detail,

"Message from EvidenceX.com to ........ on 15/11/03 11:24PM.
You are being watched... how about your Boss? Do you surf the internet and
email at work? Your work PC will be full of evidence. Destroy your evidence
and save you and your family! Go to EvidenceX.com and get free download."

What is it all about? Is the machine being hacked?

 

[Lanwench [MVP - Exchange]]

Does the window title say anything about Messenger? If so, you need a
firewall. 'Messenger spam', is not in itself harmful, but is symptomatic of
a larger problem - your computer has ports open from the Internet.

You can disable the Messenger service, but that is unwise as a solution as
you'll still have the underlying problem that caused you to get the messages
in the first place - consider the messages a useful warning that you have no
protection from the Internet. This is all too important now, given the
recent rash of RPC worms....

For a standalone machine, see www.sygate.com for a free personal firewall,
or if using Windows XP, you can enable the built-in internet connection
firewall (ICF).

See http://securityadmin.info/faq.htm for more info. Also,
http://www.mvps.org/winhelp2002/nopopups.htm is a good resource - although
for browser popups, you might want to consider http://toolbar.google.com -
it works like a champ and is also handy for searching.

 

[Kevin Davis³]

Does the window title say anything about Messenger? If so, you need a
firewall. 'Messenger spam', is not in itself harmful, but is symptomatic of
a larger problem - your computer has ports open from the Internet.

You can disable the Messenger service, but that is unwise as a solution as
you'll still have the underlying problem that caused you to get the messages
in the first place - consider the messages a useful warning that you have no
protection from the Internet. This is all too important now, given the
recent rash of RPC worms....

What is unwise from a security standpoint is to run any services that
are not needed. If you don't need the Messenger Service, disable it.
if you need it, keep it running but be aware that it has a serious
vulnerability that needs patched immediately.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-043.asp

What is also unwise from a security context is to use something as a
security tool that was never intended to be that. To use the
Messenger Service as an IDS of sorts for warning you that your
firewall is down is bad. If you need an IDS system to alert you to
intruders, run a real one. There is a free open source one called
Snort that would do the trick.

 

[Karl Levinson [x y] mvp]

What is unwise from a security standpoint is to run any services that
are not needed. If you don't need the Messenger Service, disable it.
if you need it, keep it running but be aware that it has a serious
vulnerability that needs patched immediately.

What is also unwise from a security context is to use something as a
security tool that was never intended to be that. To use the
Messenger Service as an IDS of sorts for warning you that your
firewall is down is bad. If you need an IDS system to alert you to
intruders, run a real one. There is a free open source one called
Snort that would do the trick.

What you say is not exactly untrue, but for most home users, hardening
a computer by disabling services and a long list of other things
manually is usually not the ideal answer, due to the time and
expertise necessary and the likelihood that mistakes will be made.
While it is true that firewall plus disabling services is more secure
that just firewall alone, for most home users, firewall should be the
first step, disabling the messenger service and Snort for IDS are
optional ninth and tenth steps.

Snort is a fine IDS, but there are a lot of other things that were
never meant to be IDS that are nevertheless good to monitor for signs
of intrusion, such as the Windows System and Application logs,
computer reboots, service starts and stops, file changes, IIS logs,
router syslogs, local user databases, windows file access auditing on
key files, etc.

Disabling the messenger service alone does not do very much to
increase the security of most home computers. There is currently only
one known vulnerability in the messenger service, and there is a patch
for that vulnerability. I would argue that leaving the messenger
service enabled with the patch installed can increase your security
compared to disabling the service.

The goal of computer security is not to become 100% secure no matter
what the cost.

 

[Kevin Davis³]

What you say is not exactly untrue, but for most home users, hardening
a computer by disabling services and a long list of other things
manually is usually not the ideal answer, due to the time and
expertise necessary and the likelihood that mistakes will be made.
While it is true that firewall plus disabling services is more secure
that just firewall alone, for most home users, firewall should be the
first step, disabling the messenger service and Snort for IDS are
optional ninth and tenth steps.

I absolutely agree. Firewall first. Absolutely. Do the others as
time and expertise allows.

Snort is a fine IDS, but there are a lot of other things that were
never meant to be IDS that are nevertheless good to monitor for signs
of intrusion, such as the Windows System and Application logs,
computer reboots, service starts and stops, file changes, IIS logs,
router syslogs, local user databases, windows file access auditing on
key files, etc.

I would take issue with the idea that the logs were never meant to
monitor for signs of intrusion. I would contend that the logs are
there for a variety of reasons. One being providing evidence of
intrusion. The logs also are much more benign. They don't open a
possible port of entry up to be exploited.

Disabling the messenger service alone does not do very much to
increase the security of most home computers. There is currently only
one known vulnerability in the messenger service, and there is a patch
for that vulnerability. I would argue that leaving the messenger
service enabled with the patch installed can increase your security
compared to disabling the service.

Again, I would disagree. Months ago I argued that the Messenger
Service was a risk if you didn't need it to run. I suggested that at
any time a vulnerability could be discovered and exploited in it -
just like sendmail. I was ridiculed about that notion. Now why in
the world would we think that this would be the one and only
vulnerability in this service? Oh, I know, we'll use Internet
Explorer as and example. Only one vulnerability was ever found in it
and Microsoft fixed it immediately and there's never been a problem
with it since, right?

What should speak volumes in this particular case is the fact that
Microsoft in it's next service pack and subsequent OS releases is
*disabling* the Messenger Service just because of the reasons I
mentioned. Bottom line is if you don't need the service, turn it off.
If you need it or don't know if you do leave the default settings.

Suggesting that this service provides some beneficial unintended side
effect as a warning system is quite a stretch, IMO. The only time it
would act as such if someone sent a net send message to you. While
not extremely rare, it doesn't happen to every one every day, let
alone have it happen so frequently that it would warn you within
minutes of your firewall being down. So in effect, by suggesting it
is a valuable warning system when in fact it is a very lousy one,
people can easily develop a false sense of security.

The goal of computer security is not to become 100% secure no matter
what the cost.

You can never be 100% secure. And I never said that one could. But I
am wondering, exactly what *cost* is there in taking 30 seconds of
one's life and disabling the Messenger Service?

 

[Karl Levinson [x y] mvp]

Again, I would disagree. Months ago I argued that the Messenger
Service was a risk if you didn't need it to run. I suggested that at
any time a vulnerability could be discovered and exploited in it -
just like sendmail. I was ridiculed about that notion. Now why in
the world would we think that this would be the one and only
vulnerability in this service? Oh, I know, we'll use Internet
Explorer as and example. Only one vulnerability was ever found in it
and Microsoft fixed it immediately and there's never been a problem
with it since, right?

I'm not saying leaving Messenger enabled is always better. I'm just saying
that it's more of a matter of personal opinion where there is room for
arguing either side successfully. Personally it seems sensible to me to
disable the Messenger service in work environments [for better security] and
not bother telling home users here to disable it [for convenience]. You're
right that future Messenger vulnerabilities are possible or even likely, but
for most of the home users you meet here, you only get about 30 minutes of
their attention max before they get bored and wander off to do something
else. So, you tend to go for security instructions that get you the most
benefit with the least effort. For me, that means that *if* I decide to
mention disabling the Messenger service here, I usually state that doing so
is optional. Or, I might not mention it at all, for fear that they might
latch onto that and somehow end up skipping the step where they install a
firewall.

 

[Kevin Davis³]

I'm not saying leaving Messenger enabled is always better. I'm just saying
that it's more of a matter of personal opinion where there is room for
arguing either side successfully. Personally it seems sensible to me to
disable the Messenger service in work environments [for better security] and
not bother telling home users here to disable it [for convenience]. You're
right that future Messenger vulnerabilities are possible or even likely, but
for most of the home users you meet here, you only get about 30 minutes of
their attention max before they get bored and wander off to do something
else. So, you tend to go for security instructions that get you the most
benefit with the least effort. For me, that means that *if* I decide to
mention disabling the Messenger service here, I usually state that doing so
is optional. Or, I might not mention it at all, for fear that they might
latch onto that and somehow end up skipping the step where they install a
firewall.

You seem to think I've stated that it's not optional. In fact the
opposite is true. And I will go further in stating that what you've
written above, I almost completely agree with (not sure that I would
agree with the 3rd sentence completely). My advice to turn off the
Messenger Service applies to only those who read it and can follow the
concept(s). Those who don't need not worry about it. Particularly
when Microsoft will do it for them in the next service pack. Assuming
they will apply it - but that's another issue.

The biggest issue I have is not with people who do not tell others to
turn off the Messenger Service, but with those who urge others to
leave it on so that it can be some sort of IDS for them and thus
providing some wonderful warning system. And almost invariably they
conveniently forget to warn of the known serious vulnerability and if
they leave it on it absolutely needs patched.

And then there's those who subscribe to the idea that running a
software firewall on one's system imbues it with bulletproof
protection. but don't get me started...

IMO, these two approaches to computer security are very bad ones.