Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown UPD Traffic going Overseas from svchost.exe process


  • Please log in to reply
19 replies to this topic

#1 mc137

mc137

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 24 February 2015 - 10:15 AM

Hello.  Many computers on my network are sending out lots of very strange UDP traffic on high-number ports to US and foreign IP address (including China and Russia, which has me concerned), as identified by looking at outbound traffic on our router. (screenshots below)

 

My first through was Bittorrent traffic, but I have gone to the computers to rule that out (including an unmanned Win7 file/print server with no extra software on it) and I can't find what's causing it.

 

I have narrowed down the broadcasting process ID on a machine, which is coming from an instance of svchost.exe, but short of force-quitting the process, I can't find out what is causing this.

 

Windows 7 Pro SP1 x64.  Vipre AV (clean scans, never infected).  

MBAM scans: clean.  TDSS Killer: clean.  Poweliks: clean.

 

 

Router Outbound Traffic from machine:

 

RouterUPD64240-2_zpsc5776468.png

 

 

SVCHost.exe traffic from offending PID:

Win7UPDPID920-2_zpscb4869e2.png

 

 

Services registered to this PID:

servicesinprocess-2_zps721f2190.png

 

 

 

Any suggestions, ideas or help?  I'm stumped.



BC AdBot (Login to Remove)

 


m

#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:39 AM

Posted 27 February 2015 - 10:54 AM

Firstly I would go through each IP address in the "outbound" traffic, look them up on who.is and note them.

Next find out via eg google with services typically use UDP port 64240.

 

Supply us with the information with what you find.


I've edited my previous post.


Edited by dev00790, 27 February 2015 - 10:54 AM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 mc137

mc137
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 27 February 2015 - 11:23 AM

Thanks for the reply.  I've previously done as you suggested, which was not fruitful:

 

- The IP addresses seem to be completely random, and change constantly.  Most of them appear to be residential dynamic addresses (i.e. Comcast, TimeWarner, or other overseas residential providers), and not actual web services.  This makes me think it's more worm-like / botnet activity.

 

- UDP Port 64240 is in the private range, and not associated with anything in particular.  I believe it is a randomly picked port, as it will will randomly change to other high-number private UDP ports on different days.  

 

Toredo IP6 tunneling is the only semi-possibility I could find, but IPv6 is disabled on the router, and also disabled in the local network adapter, and should not be used on the network.



#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:39 AM

Posted 27 February 2015 - 12:21 PM

Ok does the unknown traffic come from all computers or only some of them?

And when was the UDP traffic first spotted?


Edited by dev00790, 27 February 2015 - 12:22 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 mc137

mc137
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 27 February 2015 - 02:48 PM

Unknown traffic will come from several different computers on the network, on varying ports.

This has been going on for several weeks.



#6 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:39 AM

Posted 28 February 2015 - 04:27 PM

Hi, ok.

 

:step1:

Do any of the computers not have the issue? If there are none let us know and skip step 2 below.

 

:step2:

- If there is one without the issue, I'ld suggest running Process Monitor (downloadable from MS SysInternals):

 

1) On 1 computer with the issue, start a capture for 1 hour (when issue normally occurs).

After the 1 hour, stop the capture, save as .pml file to your desktop.

 

2) On 1 computer without the issue, start a capture for 1 hour (around same time when issue normally occurs).

After the 1 hour, stop the capture, save as .pml file to your desktop.

 

3) Attach the 2 files in your next reply.


Edited by dev00790, 28 February 2015 - 04:32 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#7 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:39 AM

Posted 28 February 2015 - 04:29 PM

I have edited my previous post.


Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#8 mc137

mc137
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 28 February 2015 - 05:36 PM

Thank you for the reply.

 

Yes, this is happening on all machines, with a different port number for each machine.

For example: Ports: 53156, 49337, 55245, 55155

 

For the original computer with screenshots posted on 2/24, the Port and PID has changed, as it often does.

Current port: 56278.  

Current PID: 952

 

Log File for PID 952:

https://drive.google.com/file/d/0BwyV_P9Z0d2KcUZId1BSMEw5Qkk/view?usp=sharing

 

Thanks.



#9 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:39 AM

Posted 01 March 2015 - 09:57 PM

Hi I'll ask one of the moderators to assign someone with expertise re this. Someone should be with you soon.


Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 05 March 2015 - 02:33 AM

I took a look at your log and saw several packets for the Teredo port.

 

Further, one of the services in process with PID 952 is iphlpsvc, the IP Helper Service, which implements Teredo.

 

So first I want to check if you have Teredo enabled. I would like to see your network interfaces.

 

Can you execute command "ipconfig /all | clip" and post the content of the clipboard here?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 CyberProtectionGroup

CyberProtectionGroup

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 05 March 2015 - 08:48 AM

I might suggest installing Wireshark and trying to do a traffic capture.  You will be able to look at the raw packets with it.  Have you used that before?



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 05 March 2015 - 08:55 AM

I suggest to wait with the Wireshark install. On a Windows 7 box, you can do a packet capture with netsh trace. No need to install software.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 CyberProtectionGroup

CyberProtectionGroup

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 05 March 2015 - 09:08 AM

Didier, nice.  I haven't actually used that before.  I'm an old Wiresharker :)  Can you capture normal PCAPS with it?  I'll have to try it.



#14 mc137

mc137
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 05 March 2015 - 10:57 AM

 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : [removed]
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #40
   Physical Address. . . . . . . . . : D4-AE-52-71-66-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #36
   Physical Address. . . . . . . . . : D4-AE-52-71-66-10
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.10(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.2
   DNS Servers . . . . . . . . . . . : 10.0.0.2
                                       208.67.222.222
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{458836EA-678C-408F-BB2B-95BA39204B2E}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:38b5:2429:97c5:f2b8(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::38b5:2429:97c5:f2b8%14(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter isatap.{E3667003-5FF1-42B1-874A-DB369988591D}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


#15 mc137

mc137
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 05 March 2015 - 12:13 PM

Thank you for the reply.  

I understand I can disable teredo through CMD:

netsh interface teredo set state disabled

The deeper question I am trying to resolve is: what would be sending packets to foreign IPs and why?

From all standard tests, these machines are clean of malware, P2P traffic, etc.

 

Thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users