Interesting Network Traffic

Posted by on

I’ve been paying attention to firewall logs lately. Here’s something that caught my eye:

Windows Messenger: Now I’ve http://grc.com/stm/ShootTheMessenger.htm had this disabled since I installed WinXP (I pay attention to the security warnings, ya know) But that doesn’t stop 5 million idiots from broadcasting messages to everyone, including me. Thanks to http://www.ethereal.com Ethereal, I now get to examine the contents of some of these messages without having to deal with their popped up annoyance.

Today, some of the messages give the worthy advice of updating windows for security reasons.

The problem is, the message doesn’t direct you to http://update.microsoft.com Microsoft’s update page, but instead to a .info address registered to a Swede, who has apparently hijacked an IP address from a middle school in Korea. Ok, I may be misinterpreting the http://centralops.net/co/ domain and network WHOIS info, but it’s a strange mix anyway. Note: While writing this article, I took the time to examine several more of the messenger packets. The advertised site varies, but they all seem to have Korean hosts as the common denominator. I assume everything about them is fake, so any info gleaned from the WHOIS database is most likely worthless.

Being the curious sort, I visited the address in question (I’m also running some network sniffing toys, so inviting oddball network traffic would actually be a bonus at this point). The page is a very simple Microsoft-looking patch notice page, with links to updates. But! The updates aren’t from Microsoft… no, that would be too polite. The update links are to a site willing to SELL you the updates that uncle Bill is perfectly willing to http://update.microsoft.com give you for free.

Bottom line: http://grc.com/stm/ShootTheMessenger.htm Disable Windows Messenger. What started as a tool for network admins and users to transmit vital data in a timely fashion to everyone on the network has become malware waiting to happen.

This is spam of the worst sort. The average user, having no idea where these messages come from, assume they are legitimate windows warnings, announcing legitimate windows fixes, from legitimate windows websites. None of this is true, of course, and no legitimate site/vendor would use this intrusive, sneaky method to get their information to you.