Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ethernet traffic shows zombienet activity


  • Please log in to reply
3 replies to this topic

#1 wastoid

wastoid

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 25 December 2008 - 08:29 PM

hey all, I'm not sure where to begin but I'd like to apologize for my first post being a question and not a contribution. I'm hoping someone here can help!

I started noticing unusual spikey slowdowns in my connectivity so I thought something might be wrong. I opened up Ethereal and noticed a whole lot of really strange traffic going to and from my machine, with patterns that seemed to suggest I was part of a zombie on a botnet. There was some tcp traffic with a particular host in singapore along with lots of UDP traffic to seemingly random hosts in various parts of the world, though these all seemed like dialup addresses. The UDP traffic in particular has data segments but the only readable strings in them are "find_node" and "target". I have the ethereal log and can PM the URL for it if someone would like to look at it more closely.

So then I went on to try to find the cause. I downloaded and installed AVG, Malwarebytes' Anti-Malware and Spybot Search & Destroy. I found and fixed various things which I'll try to remember here:

- Something was weird with a DNS registry key, the implication being that there may have been some DNS trickery afoot.

- There was an artifact of a virus I had about a year ago, mslikurserv (sp), though I didn't have the .sys like the google hits seem to suggest it would be and the process wasn't running, but I thought I'd mention it anyway.

- One of my security policy registry keys changed from having the DLLs separated by commas to being separated by spaces. I don't know if this was just a minor thing or if it in fact cleverly caused that key to short-circuit in a way that skipped loading the other DLLs.

- Unrelated to the programs, I noticed a number of disturbing windows services were running and stopped/disabled them, primarily the remote access-oriented ones. Remote Access, RPC local, Computer Browser, Remote Access Auto Connection Manager, etc...

So yeah, I've basically run all of this stuff but the traffic still continues. I've preemptively run HijackThis which will hopefully also assist in whatever help you can give. I only clicked "fix" for a couple of entries, one of which had to do with an assigned Proxy setting that I knew was unnecessary but potentially harmful and some references to khalmnpr.exe which, while supposedly not harmful, aren't necessary for me anymore anyway since I'm not using Logitech.

Here's the log and thanks in advance for whatever help you can give!

==========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:25 PM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jerry\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\jerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199786214116
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6730 bytes

BC AdBot (Login to Remove)

 


#2 wastoid

wastoid
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 25 December 2008 - 08:34 PM

Oh, I just noticed I have the security provider key change that I mentioned in my MBAM log:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.

This was the only issue it detected.

#3 rangecoach

rangecoach

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TX, by way of IL, CA, NC, NJ and PA
  • Local time:10:29 PM

Posted 25 December 2008 - 10:22 PM

Did you inadvertently post a HJT log instead of MBAM?

Edited by rangecoach, 25 December 2008 - 10:26 PM.

The early bird may get the worm but the second mouse gets the cheese.

You are never defeated until you admit it. Gen. Patton

#4 wastoid

wastoid
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 25 December 2008 - 11:55 PM

No, I meant to post HJT but I posted that MBAM snippet also. :thumbsup: That said, it was the only unordinary thing that MBAM mentioned.

It turns out a lot of the traffic I was seeing is likely related to BitTorrent, even though it had been closed for a while (I didn't realize that peers would continue to pester your machine when it was off). The data segments had a bunch of keywords that bittorrent uses in their protocol but I'm still slightly concerned that my box is initiating communications with remote hosts when bittorrent isn't even (though this isn't really true since btdna.exe is running) running.

Here's the data segment from one of the packets that seems a bit odd to me. This is my computer sending to some host via UDP without that host contacting me first, and even though the keywords in there seem BitTorrent-related, I'm confused as to why I would see something like this unless btdna.exe is really doing all of that.

0000 00 1b 2f 4d 19 10 00 1b fc 8f c7 39 08 00 45 00 ../M.... ...9..E.
0010 00 83 2e 8b 00 00 80 11 42 15 0a 00 00 03 58 1c ........ B.....X.
0020 67 ab 9c 16 43 47 00 6f 76 60 64 31 3a 61 64 32 g...CG.o v`d1:ad2
0030 3a 69 64 32 30 3a 66 f7 43 4e 8d a0 af d5 f9 d8 :id20:f. CN......
0040 bb 8a 6e 51 f4 19 db 04 c0 13 36 3a 74 61 72 67 ..nQ.... ..6:targ
0050 65 74 32 30 3a 10 5e 7d ea a1 9e 8d 28 28 14 4e et20:.^} ....((.N
0060 1d 9b a8 4b d9 53 f7 49 d5 65 31 3a 71 39 3a 66 ...K.S.I .e1:q9:f
0070 69 6e 64 5f 6e 6f 64 65 31 3a 74 34 3a 23 54 00 ind_node 1:t4:#T.
0080 00 31 3a 76 34 3a 55 54 35 62 31 3a 79 31 3a 71 .1:v4:UT 5b1:y1:q
0090 65 e

Here's the sample packet from the BT website to illustrate how similar they are:

find_node Query = {"t":"aa", "y":"q", "q":"find_node", "a": {"id":"abcdefghij0123456789", "target":"mnopqrstuvwxyz123456"}}
bencoded = d1:ad2:id20:abcdefghij01234567896:target20:mnopqrstuvwxyz123456e1:q9:find_node1:t2:aa1:y1:qe

So I'm going to try closing btdna.exe since, now that I'm reading about it, it can be risky to run it anyway. If that's the problem, then I'll feel like an idiot but at least I won't be wasting any more of your time :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users