Research

Windows Messenger Popup Spam on UDP Port 1026

SecureWorks has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. SecureWorks' analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so users should block udp port 1026 inbound using a personal firewall. This is an update to an earlier recommendation to block port 1026 at the ISP level. ISPs are not likely to be able to track the state of such connections, so they would not know whether an inbound connection was a reply to an outbound packet, or an inbound probe.

Note that recently spammers have begun to also send popup spam on UDP ports 1027 and even 1028, since the binding of the Messenger service exclusively to port 1026 is not guaranteed by the OS. If port 1026 is in use at the time the Messenger service is started, it will simply look for the next available UDP port.

Also one should note that since UDP is trivially spoofable, automated reporting of probes on these ports is prone to implicate innocent third parties rather than the spammer.

Below is a screenshot capture of Windows Messenger popup spam:

It is possible to disable the messenger service on some platforms following the instructions below. However, the fact that you can receive these messages points to the fact that your computer is unsecured and vulnerable to other possible attacks in the future. Disabling the messenger service will stop the pop-up spam, but will not protect you in any other way. Home users are encouraged to install personal firewall software to block unauthorized connections to their computers. Users are discouraged from purchasing specialized Windows Messenger popup blocking software as it is often sold by the same company that is sending the popups.

To disable the Messenger Service, follow the instructions for your Windows version:

Windows XP Home

  • Click Start, then click Control Panel.
  • Double-click Performance and Maintenance.
  • Double-click Administrative Tools.
  • Double-click Services.
  • Scroll down, highlight and right-click on Messenger and choose Properties.
  • In the "Startup type" list, choose Disabled.
  • Click Stop, and then click OK.

Windows XP Professional

  • Click Start, then click Control Panel.
  • Double-click Administrative Tools.
  • Double-click Services.
  • Scroll down, highlight and right-click on Messenger and choose Properties.
  • In the "Startup type" list, choose Disabled.
  • Click Stop, and then click OK.

Windows 2000/NT

  • Click Start, go to Settings, then click Control Panel.
  • Double-click Administrative Tools.
  • Double-click Service.
  • Double-click Messenger.
  • In the "Startup type" list, choose Disabled.
  • Click Stop, and then click OK.

Windows 98/ME

The Windows Messenger Service cannot be disabled.

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Subscribe to the On the Radar Newsletter