Government Takes A Pop At Some Pop-Ups

The Federal Trade Commission on Thursday took a first step in slamming a new kind of spam delivered through the back door of Windows Messenger Service, a technology built into Windows and used by some large companies--but totally wasted on consumers and small businesses.

The FTC said it has requested and received an injunction against D Squared Solutions, a company that markets software that stops text-based spam from using Windows Messenger Service to deliver pop-ups to Windows users' screens.

Windows Messenger Service, not be confused with the Windows Messenger, Microsoft's instant-messaging client, is a network service typically used to put up pop-ups on client systems' screen to alert users of such events as an impending network shutdown or the unavailability of a print or file server.

But some spammers, D Squared among them, have been using Windows Messenger Service to circumvent E-mail anti-spam defenses. Unlike browser-based pop-up advertisements, these messages can be splashed across users' screens even when a browser isn't active. All that's necessary is that the computer be connected to the Internet.

The FTC took action, said Howard Beales, the director of the commission's Bureau of Consumer Protection, because D Squared was essentially engaged in extortion. According to the injunction, D Squared was repeatedly sending messages to users via Windows Messenger Service--as often as every 10 minutes--trying to steer them to a Web site where they could purchase software to stop the barrage.

"This is nothing more than a high-tech version of a classic scam," said Beales. "The defendants created the problem, then tried to charge users for the solution. I call that extortion. It's just like 'if you pay me to stop beating you, I'll stop beating you,'"

Not only does this kind of spam waste computer users' time--clicking repeatedly on such messages as they continue to pop up--but in some cases, said Beales, the Windows Messenger Service-delivered junk causes computers to crash or freeze applications, resulting in lost work.

One of the consumers who filed a complaint with the FTC against D Squared bemoaned the new spam tactic. "Sending these messages is infringing on my rights to use my computer," said Karen McKechnie of Annandale, Va. "The only solution seemed to be to pay the $30 for the software that turns off their own messages."

The FTC is seeking unspecified damages against D Squared.

Beales urged most Windows users to turn off Windows Messenger Service, saying that the move would not only prevent such spam, but would also solve recently-disclosed vulnerabilities in the service.

On Oct. 15, Microsoft released a "critical" patch for Windows Messenger Service, which could be used by attackers to cause a buffer overflow to crash machines. Some analysts who have been tracking exploits that target the vulnerability have said that the potential for damage and disruption could rival the Blaster worm if hackers put their minds to it.

Microsoft has already said it will disable the service by default in the next Windows XP Service Pack, which is scheduled for release in mid-2004, a Microsoft spokesman said. But he declined to comment on any chance that Microsoft might push up the release of Service Pack 2 to accommodate users who want Windows Messenger Service disabled.

Part of the danger of Windows Messenger Service, said Ken Dunham, an analyst at iDefense, a security-intelligence firm, is that spammers and attackers are increasingly using the same vectors, often with hackers following the lead of spammers.

"In large corporate environments, the threat from Windows Messenger Service has gone up significantly, because of vulnerabilities from both spam and attackers," Dunham said. "Companies should be asking themselves, 'Do we really need Windows Messenger Service?'"

He recommended that businesses that don't rely on Windows Messenger Service get rid of the service altogether--the same advice that Beales of the FTC offered up to consumers.