[Dshield] Windows UDP Packet Sending Process
Jon.Kibler at aset.com
Thu Jul 3 14:34:27 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Problem solved! (More or less...)
Actually, this problem has been ongoing for several months, and I just
now found the problem. Back on March 20th of this year, I posted a
thread 'Strange UDP Traffic' to DShield that included a packet dump. No
one was able to identify the traffic.
That same box kept generating the UDP traffic at random. Since I was
blocking it, I basically ignored it until now. Today, one of the
customer's Windows admins was able to find was a piece of software
called 'Ativa Media Accelerator' and it was generating the traffic.
Uninstalling it eliminated the traffic that had been going to 25121/udp.
However, after the uninstall, that box made several attempts to send to
137/udp on an IP one less than the IP of the 25121/udp traffic. I am a
little concerned that the uninstall did not really uninstall everything,
but cannot prove that one way or the other.
This leads to a few questions and comments:
1) Anyone know anything about 'Ativa Media Accelerator'? Any malware
2) Any thoughts on why the uninstall would generate 137/udp traffic back
to the 'media server' network?
3) If the 137/udp traffic continues, any thoughts on what to look for?
(It appears to be 'legit' 137/udp traffic -- that is, it also originates
4) Since 25121/udp appears to be the port commonly used by this
application, and they have never bothered to register it with IANA (as
of today's official list, it still shows: "# 25010-25792 Unassigned"),
would some you unofficial list maintainers (Neophasis, etc.) PLEASE
document that this is a use for that port?
5) Would someone please develop a Snort rule to detect such traffic?
Anyway, thanks to all who contributed to both threads. All thoughts and
suggestions were greatly appreciated.
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list