I don't know if this is the appropriate forum but I wondered if anyone had seen anything like this before. I ran wireshark wide open during on the night of Feb 25/26 and saw this:

My PC initiates communication with an IP in CO (128.241.20.244) src ports vary, from 2743 up to 2844; dest port is 443. Each "burst" is around 12 to 16 (e.g., packets A -> B = 7, packets B -> A = 7) total packets. The connections are brief.

I did the capture because I started getting bounced emails, returned "for abuse", from all of my email addresses. I then realized my IP was on 21 blacklists. I also noticed returned emails I know I never sent that were "Canadian Pharmacy" stuff. I suspected peacomm or a variant and proceeded to run every possible tool, rootkit detection tool you can imagine. I am a network engineer, my spouse is a CISSP anti-virus security professional so we know a thing or two about this, but cannot find definitive evidence of an exploit, rootkit or malware infection. I never open spam, but I did have an old version of java (ironically, for a work app) that could have been compromised.

Are we chasing our tails here? We didn't see anything in "hijack this" logs worth noting. We have run the following:

Housecall.trendmicro
symantec sav11
trojan hunter
f-secure blacklight
windows malicious softare removal tool
rootkit revealer
sypbot s&d
gmer
icesword
hook analyser 3.02
panda anti-rookkit
adaware 2007

We ran many of these in safe mode. I am going to run from xp cd recovery console tonight. I would just blow it away but am curious, and also embarrassed, that with our combined skill sets we cannot nail this down. Any feedback would sure be appreciated.

Running different utils in the hope of catching an infection is not really enough these days. One needs an experienced malware fighter that can make sense of the logs and pick up on any suspicious values. For example, I recently discovered a malware sample that was not being detected by any of the major scanners, and I only found it after sifting through a couple of pages of different logs (combofix, sdfix, hijackthis etc)

I am sure that the folks over at the HiJackThis section will be glad to help and analyse some of the extended logs for suspicious files.

If you want to try going down that route before nuking the drive I suggest you read this:

/t102301-Hijackthis_Guidelines_Read_Before_Posting.html

zoney,

What software and OS are you currently running?

If you are getting these emails, there may be a 'door' open somewhere....someone's getting in and out randomly.

I learned that malicious hackers are very smart....teamwork is the key to nailing these dudes..

It's xp sp2, totally patched. I've also used a lot of sysinternals tools, wolfe, done netstat in verbose mode and so forth. I've got two hijack logs, one of which is "clean" (followed the instructions on castlecop to turn off some realtime stuff like teatimer and sav liveupdate etc) which I can post but nothing really stood out and caught our eye.

One thing I forgot to mention-- I could not get windows defender to install, and my better half just informed me that we couldn't get rootrevealer or iscesword to run right. Tonight we'll try from booting the CD and doing more diags but maybe I will post my hijack log... I know, doctors are the worst patients right?

Appreciate the help guys...

hmm..what name does that IP resolve to...

A suggesstion would be to place the resolved name in your hosts file and see what happens since it's outbound traffic...you cut off the inbound traffic and whatever is communicating has nowhere to go.

127.0.0.1 (Resolved name)

..most apps use that file for communication..or check your hosts file altogether to see if there are any malicious IP's and sites there.

Yeah, the only stuff in the host file was what spybot puts in there, all the loopback address entries it adds.

Here's the ARIN on that IP...

OrgName: NTT America, Inc.
OrgID: NTTAM-1
Address: 8005 South Chester Street
Address: Suite 200
City: Centennial
StateProv: CO
PostalCode: 80112
Country: US

CIDR: 128.241.0.0/16
NetName: NTTA-128-241
NetHandle: NET-128-241-0-0-1
Parent: NET-128-0-0-0-0
NetType: Direct Allocation
NameServer: AUTH21.NS.GIN.NTT.NET
NameServer: AUTH22.NS.GIN.NTT.NET
NameServer: AUTH23.NS.GIN.NTT.NET
NameServer: AUTH24.NS.GIN.NTT.NET
NameServer: AUTH25.NS.GIN.NTT.NET


Guess it was rude to post the IP, I should have only posted the CIDR, it could be another victim/peer bot, but then it could be a mothership. I was able to tracert to it at the time, but haven't tried recently. The other odd thing in those packets, following the TCP stream (what ascii I was able to make out anyway), was that there were things in it like:

".....0..1.0...U....--1.0...U....SomeState1.0...U....SomeCity1.0...U.
..SomeOrganization1.0...U....SomeOrganizationalUnit1.0...U....localhost.localdomain1)0'..*.H..
.....root@localhost.localdomain0..
070913150135Z.
080912150135Z0..1.0...U....--1.0...U....SomeState1.0...U....SomeCity1.0...U.
..SomeOrganization1.0...U....SomeOrganizationalUnit1.0...U....localhost.localdomain1)0'..*.H..
.....root@localhost.localdomain0..0"

Most legit stuff has identifying info in it, like live update, windows update traffic etc. Of course it was mostly encrypted so who knows what the deal is?

The next night I ran wireshark offline and noticed my PC sending out ICMP packets, but maybe that is normal. Just don't want to be used as a reverse proxy or spam bot or anything.

Wireshark captured this activity tonight, the computer was idle. I thought I'd run it before reposting a clean hijack post.

This looks like fast flux to me, anyone else concur? Could it be evidence of a peacomm variant?

========
GET /tools/swg2/update?auv=1&r=2&up=30&p=w&ma=5&mi=1&b=2600&sp=ServicePack2&as=swg&pv=1.2.1128.5462&hl=en&os=win&ds=1&dsc1=0 HTTP/1.1Accept: text/*, application/octet-stream
User-Agent: Mozilla/4.0 (compatible; Win32)Host:www.google.com
Cache-Control: no-cacheCookie: PREF=ID=3a1ec7a21eed1bd6:TB=2:TM=1096741693:LM=1191029313:C2COFF=1:S=RZ1mm-3ZpamL4jzq; testcookie=HTTP/1.1 200 OK
Content-Type: text/plainTransfer-Encoding: chunkedExpires: Sat, 08 Mar 2008 00:29:20 GMT
Cache-Control: private, max-age=0
Date: Sat, 08 Mar 2008 00:29:20 GMTServer: GFE/1.3a0version: 0.0.0.0
url: http://dl.google.com/swg/0.0.0.0/wontdownload
launch-action: execute
launch-target: nofile.exe
signature: 4444
rlz: 1R1_____enUS2650

GET /tools/swg2/update?auv=1&r=2&up=30&p=w&ma=5&mi=1&b=2600&sp=ServicePack2&as=swg&pv=1.2.1128.5462&hl=en&os=win&ds=1&dsc1=0 HTTP/1.1Accept: text/*, application/octet-streamUser-Agent: Mozilla/4.0 (compatible; Win32)Host: www.google.com
Cache-Control: no-cacheCookie: PREF=ID=3a1ec7a21eed1bd6:TB=2:TM=1096741693:LM=1191029313:C2COFF=1:S=RZ1mm-3ZpamL4jzq; testcookie=HTTP/1.1 200 OK
Content-Type: text/plainTransfer-Encoding: chunked
Expires: Sat, 08 Mar 2008 00:29:20 GMT
Cache-Control: private, max-age=0
Date: Sat, 08 Mar 2008 00:29:20 GMT
Server: GFE/1.3a0version: 0.0.0.0url: http://dl.google.com/swg/0.0.0.0/wontdownload
launch-action: execute
launch-target: nofile.exe
signature: 4444
rlz: 1R1_____enUS2650


.............www.google.com..................www.google.com..............r...www.l...,...........U.c.,...........U.g.,...........U.h.,...........U..y............99.154.85.209.in-addr.arpa.....y............99.154.85.209.in-addr.arpa.............*0.0.ns1.google.com..dns-admin.<w.....T`......u...*0J............254.2.168.192.in-addr.arpa.....J............254.2.168.192.in-addr.arpa................A.prisoner.iana.org.
hostmaster.root-servers.FwT............:...:..............1.112.193.10.in-addr.arpa..................1.112.193.10.in-addr.arpa................A.prisoner.iana.org.
hostmaster.root-servers.EwT............:...:.0............145.2.28.172.in-addr.arpa.....0............145.2.28.172.in-addr.arpa..............,.A.prisoner.iana.org.
hostmaster.root-servers.EwT............:...:..............5.98.116.12.in-addr.arpa..................5.98.116.12.in-addr.arpa................K.cbru.br.ns.els-gms.att.net.
rm-hostmaster.ems.att.com....'..Q...'...'..................201.16.123.12.in-addr.arpa..................201.16.123.12.in-addr.arpa..............,...ggr3.dlstx.ip.att.net..............138.34.205.192.in-addr.arpa..................138.34.205.192.in-addr.arpa..................att-gw.dallas.level3.net..............62.19.68.4.in-addr.arpa..................62.19.68.4.in-addr.arpa................ .vlan69.csw1.Dallas1.Level3.net..............137.136.69.4.in-addr.arpa..................137.136.69.4.in-addr.arpa.............Q..".ae-62-62.ebr2.Dallas1.Level3.net..............105.132.69.4.in-addr.arpa..................105.132.69.4.in-addr.arpa.............Q....ae-2.ebr1.Denver1.Level3.net..............38.132.69.4.in-addr.arpa..................38.132.69.4.in-addr.arpa.............Q..".ae-1-100.ebr2.Denver1.Level3.net.o............99.165.85.209.in-addr.arpa.....o............99.165.85.209.in-addr.arpa.............d....eo-in-f99.google.com..............254.2.168.192.in-addr.arpa..................254.2.168.192.in-addr.arpa..............k.A.prisoner.iana.org.
hostmaster.root-servers.FwT............:...:..............1.112.193.10.in-addr.arpa..................1.112.193.10.in-addr.arpa................A.prisoner.iana.org.
hostmaster.root-servers.EwT............:...:..............145.2.28.172.in-addr.arpa..................145.2.28.172.in-addr.arpa................A.prisoner.iana.org.
hostmaster.root-servers.EwT............:...:.L............145.25.171.205.in-addr.arpa.....L............145.25.171.205.in-addr.arpa..............s...dal-core-01.inet.qwest.net..............14.14.14.67.in-addr.arpa..................14.14.14.67.in-addr.arpa.............Q....atl-core-02.inet.qwest.net..............166.21.171.205.in-addr.arpa..................166.21.171.205.in-addr.arpa.............Q....atl-edge-18.inet.qwest.net..............6.1.144.63.in-addr.arpa..................6.1.144.63.in-addr.arpa.............*0.C
svl-ans-01.inet.qwest.net..dns-admin.qwestip.Kw.....*0......:...Q.#............84.174.233.64.in-addr.arpa.....#............84.174.233.64.in-addr.arpa.............*0.0.ns1.google.com..dns-admin.<w..4..T`..........Q.2............1.47.239.216.in-addr.arpa.....2............1.47.239.216.in-addr.arpa.............*0.0.ns1.google.com..dns-admin.;w..4..T`..........Q..............138.43.239.216.in-addr.arpa..................138.43.239.216.in-addr.arpa.............*0.0.ns1.google.com..dns-admin.=w..4..T`..........Q.

swg, google... have you got the google toolbar installed? Could it be that checking for updates?

Have you got anything else from google installed?

Yeah, you're probably right. I read somewhere that peacomm tried to resolve google so I thought that what it was.

I am putting the cart in front of the horse. I did my clean hijack and am going to post it on the hijackthis board, I don't want to waste anyone's time.

Thanks everyone, hope someone can see something in my log.

Zoney

Hi, Zoney,

do you have an update of the status of your case. I just checked the log of my home box and got the same cap data.

Regards.

gmax

I have the same issue. Mine pings that ip via ssl and up to 3 others, and then sends spam. Some research turned up ozdok as on spambot that uses ssl as the control channel.

On my system it's windows server 2003, with 10 svchosts runing, 6 logged in as "system" and 2 in as Network Service, 2 in as Local Service.

Can u check your DNS settings. These can happen when ur using an unregistered domain name as ur DNS Zone.

From the below log:

I am having the same issues to the same IP address.

I did have an infection that I posted on here last week. I seemed to have gotten rid of it. I was on the road for two weeks. HiJackThis and SecurityTaskManager look good.

When it was sending emails out at the cyclic rate, Symantec Corporate was popping up for each one. Looking at wireshark, nothing was really in the emails.

Netstat shows no connections when communicating to 128.241.20.244. At one point, it looked like one of hte connection was using a PID of 0?

I am about ready to wax this thing. But would like to figure out what is going on as more of a learning experience.

Let me know if anyone wants to help me engage and I will provide whatever is needed.

I believe it's RUbotted (beta) from Trend Micro that is communicating with 128.241.20.244.