January 16th, 2004, 11:54 PM
NetGuarder Ad-Sender HELP ME!
Ok, if you haven't seen this thing already it's at www.netguarder.com . What it does is broadcast ads over an IP range using an unaddressed vulnerability in XP's Messenger feature. Firewalls can't stop it, and there's no on-machine program or registry to remove. Disabling XP's Messenger feature will stop it, but if you want the feature turned on, there appears to (as yet) be nothing you can do about it. As far as I've seen, the aboveground isn't even aware of this yet, and the underground seems to have limited its interest to cracking the shareware version.
So, does anyone have any more information? Fixes that leave Messenger intact would most desired, but beyond that, this thing fascinates me. It's really nefarious. I want to learn more about it: where it came from, whether anyone's noticed it, whether (as I suspect) the company that sells it is located in some obscure country more or less outside the law, etc, etc, etc. Thanks.
January 17th, 2004, 12:19 AM
Yes I think that the People's Democratic Republic of China might be an "obscure country" The company operates from a suburb of Bejing
whether (as I suspect) the company that sells it is located in some obscure country more or less outside the law
Have you considered ad-elimination and pop-up stopping software? or does it only work with P2P type connections? I have never seen or heard of it, but I do not use P2P
You might like to look at http://www.bitdefender.com/
They claim to provide protection for popular P2P type apps. I would still have expected a pop-up stopper to kill it?
Your firewall should also let you block the address blocks that they use?
EDIT: It uses pop-ups to get round the spam=e-mail fallacy.............looks pretty sleazy to me, but I was not going to wait 32 minutes to download it via my ADSL link!!!
January 17th, 2004, 12:42 AM
Well, so it's not an obscure country, it's just more or less outside the law...
Ad-elimination and popup-stopping software won't stop it, because it's not a pop-up. It uses Messenger itself to send the ads.
Bitdefender won't help because there's no code involved, the Ad-Sender is an exploit of a feature of XP.
Firewall's set up correctly, should already be blocking it (AFAIK, I have NO training or education with this stuff, my firm just has no IT department and it falls on me because "hey, you're good with computers - fix this"; so I know whatever I happen to have learned, and I know some people who are programmers and IT security, but that's it). Ad-Sender gets around the firewall somehow, don't know how.
Man, this thing is driving me crazy but on the other hand, I gotta admit it's pretty cool from a purely "that's neat, how did they do that?" perspective...
Thank goodness my firm listened to me when I insisted we not replace 98 machines with XP machines unless absolutely necessary...
There may be nothing I can do except either accept the ads as a fact of life or disable Messenger and wait for Microsoft to release a patch (not holding my breath on that).
January 17th, 2004, 12:45 AM
Popup killers won't block them because they are sending a datagram to a legit service on the machine...the Messenger service (not MSN Messenger, this is a totally un-related application).
If you use MSN Messenger and don't have a need to send administrative messages to computers on the LAN, disable the messenger service. If you want to use the messenger service on your LAN, just block TCP/UDP ports 131 and 139. (for security reasons, Ports 131, 135-139 and 445 should always be blocked on a Windows network)
Blocking 131 and 139 will effectively disable the popups from passing through the firewall, and still allow you to use the messenger service on the LAN.
EDIT: Win98 has a messenger service too. (Windows Messenger 1.0...Add-on from the Resource Kit). The Alerter Service performed a similar function on WinNT 3.51 and 4.0.
January 17th, 2004, 12:50 AM
Sorry mate, we crossed in the post
A lot of pop-up stoppers work on the browser not the OS? that could be the reason they don't work?
I will look into it further, but the download times are excessive right now.
EDIT: 576869746568617 are you sure about that..............I thought that they claimed it worked on 9x?
January 17th, 2004, 12:50 AM
Thanks for the firewall info, as I updated to my above post, I don't know much about firewalls, outside my area of experience. I'm going to try that and hopefully it will work. I bet it will; you definitely sound like you know what you're talking about.
January 17th, 2004, 12:55 AM
That's pretty much why the popup blockers don't block them...they are not designed to detect the type of IP packet that the Messenger Service uses. If your curious, there's alot of detailed info on the Messenger Svc on MS's TechNet Website.
January 17th, 2004, 01:18 AM
nihil - Nope, only XP, NT4 and 2000.
These guys look pretty shady. Pest Patrol - www.pestpatrol.com - has fixes for NetGuarder (category: Adware). And one of their selling points for Ad-Sender is that it spoofs the sender's IP so the message can't be traced back to its originator. Cute stuff. Watch out for back doors if you download these and play around with them. (Like I needed to tell you that; you both know way more about computers than I do...)
January 17th, 2004, 04:03 AM
you should go on www.microsoft.com or www.securityresponse.com to look up information about it....
January 17th, 2004, 06:11 AM
I have had a better chance to look at this. The general consensus is to "shoot the messenger", in fact if you go to http://www.grc.com you will find a tool that does it for you.
This article is also interesting as it points out that there are wider security issues:
I guess if I wanted instant messaging on my intranet I would get some other software to do it.
http://www.codehost.com/spat (one for the *nix types)
Microsoft are going to turn it off by default in XP SP2 I understand.