[Dshield] Windows UDP Packet Sending Process

Jon Kibler Jon.Kibler at aset.com
Thu Jul 3 14:34:27 GMT 2008

Hash: SHA1


Problem solved! (More or less...)

Actually, this problem has been ongoing for several months, and I just
now found the problem. Back on March 20th of this year, I posted a
thread 'Strange UDP Traffic' to DShield that included a packet dump. No
one was able to identify the traffic.

That same box kept generating the UDP traffic at random. Since I was
blocking it, I basically ignored it until now. Today, one of the
customer's Windows admins was able to find was a piece of software
called 'Ativa Media Accelerator' and it was generating the traffic.
Uninstalling it eliminated the traffic that had been going to 25121/udp.

However, after the uninstall, that box made several attempts to send to
137/udp on an IP one less than the IP of the 25121/udp traffic. I am a
little concerned that the uninstall did not really uninstall everything,
but cannot prove that one way or the other.

This leads to a few questions and comments:

1) Anyone know anything about 'Ativa Media Accelerator'? Any malware
potential here?

2) Any thoughts on why the uninstall would generate 137/udp traffic back
to the 'media server' network?

3) If the 137/udp traffic continues, any thoughts on what to look for?
(It appears to be 'legit' 137/udp traffic -- that is, it also originates
from 137/udp.)

4) Since 25121/udp appears to be the port commonly used by this
application, and they have never bothered to register it with IANA (as
of today's official list, it still shows: "# 25010-25792 Unassigned"),
would some you unofficial list maintainers (Neophasis, etc.) PLEASE
document that this is a use for that port?

5) Would someone please develop a Snort rule to detect such traffic?

Anyway, thanks to all who contributed to both threads. All thoughts and
suggestions were greatly appreciated.

Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list