[Dshield] Windows UDP Packet Sending Process

Paul Schmehl pschmehl_lists at tx.rr.com
Thu Jul 3 23:43:45 GMT 2008


--On July 3, 2008 10:34:27 AM -0400 Jon Kibler <Jon.Kibler at aset.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Problem solved! (More or less...)
>
> Actually, this problem has been ongoing for several months, and I just
> now found the problem. Back on March 20th of this year, I posted a
> thread 'Strange UDP Traffic' to DShield that included a packet dump. No
> one was able to identify the traffic.
>
> That same box kept generating the UDP traffic at random. Since I was
> blocking it, I basically ignored it until now. Today, one of the
> customer's Windows admins was able to find was a piece of software
> called 'Ativa Media Accelerator' and it was generating the traffic.
> Uninstalling it eliminated the traffic that had been going to 25121/udp.
>
> However, after the uninstall, that box made several attempts to send to
> 137/udp on an IP one less than the IP of the 25121/udp traffic. I am a
> little concerned that the uninstall did not really uninstall everything,
> but cannot prove that one way or the other.
>
> This leads to a few questions and comments:
>
> 1) Anyone know anything about 'Ativa Media Accelerator'? Any malware
> potential here?
>

It's "Itiva Media Accelerator".  It appears to be a caching proxy that 
downloads media content in the background while you play it.  An internet 
search shows mixed reviews, with some people using it and others warning 
to stay away from it.  Nascar requires it for some of their content.  I 
don't think it's malicious, but it does appear to be poorly written 
(reports of excessive CPU consumption) and has unadvertised features that 
could be considered unethical.

> 2) Any thoughts on why the uninstall would generate 137/udp traffic back
> to the 'media server' network?
>

Probably to notify the company that you've uninstalled their product, 
although the choice of ports is odd.  (Does anybody still allow 137/udp to 
be accessible to the internet?)

> 3) If the 137/udp traffic continues, any thoughts on what to look for?
> (It appears to be 'legit' 137/udp traffic -- that is, it also originates
> from 137/udp.)
>
> 4) Since 25121/udp appears to be the port commonly used by this
> application, and they have never bothered to register it with IANA (as
> of today's official list, it still shows: "# 25010-25792 Unassigned"),
> would some you unofficial list maintainers (Neophasis, etc.) PLEASE
> document that this is a use for that port?
>
> 5) Would someone please develop a Snort rule to detect such traffic?

alert udp any any -> any 25121 (msg:"Possible Itiva Media Accelerator 
traffic"; classtype:misc-activity; sid:2000001; rev:1;)

Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.


More information about the list mailing list