Can malware disguise network traffic?

Discussion in 'other security issues & news' started by sukarof, Mar 25, 2007.

Thread Status:
Not open for further replies.
  1. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I am a bit curious about that. I have a software named Winbar, it is a utility to monitor different settings in windows. Today I discovered that I had a 900kb/s download going on in winbar. I looked in the regular network status but it reported no network activity. I only see the traffic going on in Winbar (and statbar, a similar program)
    Portexplorer doesnt show any activity on the connected processes.

    It was in Vista. I have used Winbar with Vista since I installed Vista in february but it has never showed this kind of activity when I dont have a [known] download going on.

    I have Karspersky internet security and Prevx1 but they have not reported anything suspicious...

    Have I discovered a new sort of malware?
    Well, I wish ;) my guess is that the drivers has gone mad somehow. I know that Rootkits can hide processes from windows, but network traffic? Surely a network monitor (like Winbar) uses the same mechanism as windows itself? So if it was a real malware I wouldnt see the network activity in winbar either?
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, some malware can patch the network stack (or install a custom one) to evade filtering by firewalls.
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Ok, thanks for the info. Now that I rebooted back to Vista I dont seem to have that problem anymore, hopefully it was some temporary glitch. But I will keep my eyes open. It felt a bit uneasy. I´ve checked my hard drives but I couldnt see that there was 14 Gb added anywhere. That amount was what Winbar told me had been downloaded. I dont know how long I had that download going on really, but it is not impossible since I have a 100Mb line, it wont take long to download that, and I have the computer on 24/7.
     
  4. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    What kind of attack is this?

    Last saturday around 6 pm swedish time (5pm Brittish standard) I suddenly noticed on my network monitor (Winbar) that I was downloading something at the speed of 900Kb/s. (I have a 100Mbit line to internet)

    I opened windows Vista network monitor but no activity at all o_O Only the network monitor in Winbar showed this. According to Winbar I had downloaded over 14Gb. I have no Idea how long this download (or whatever it is) had been going on.

    I started Port Explorer to see what connections I had - But nothing that showed anything was downloadingo_O
    No warning from Kaspersky firewall. I could not stop this download.
    I might add that Winbar has worked flawlessly since my first install of Windows Vista back in january.
    I rebooted to another snapshot of Vista and the same thing happened there. This snapshot was relatively new copy.
    Then I booted to a Windows XP snapshot, but everything was OK there.
    I rebooted a couple of times but the download was still there. So I decided that I´ll leave Vista and use XP.
    A couple of hours later I booted back to Vista and the download was gone. I thought it might be something wrong with a driver all of a sudden. Did a scan with Kaspersky but it found nothing.

    Then came sunday. Everything was fine until around 6pm and I noticed the download was there again. This time I decide to install Look´n´stop on top of KIS. But it showed nothing, the attack had stopped.

    Again I thought it must be something wrong with my windows, a driver or something has gone mad.

    Then tonight at 6pm I noticed in process explorer icon in the tray that something was using the CPU for 80%
    I opened it and see that Look´n´stop is working like crazy. The attack is back, I am downloading something at 900Kb/s
    I check in the log and see this (see pic from Look´n´stop log) it just goes on and on until I block it with Look´n´stop.

    I dont believe this is a driver error or a windows glitch anymore. It has always started around the same time (6pm) now 6:35pm when I unblock the block rule in Look´n´stop the attack seems to have stopped. This has not happened to me before last saturday. The only thing different I have done lately is that I am trialling Kaspersky Internet security, what I can think of.

    What the hell is this? Have something bypassed Prevx1 pro mode, and Kaspersky internet security? I can not with the tools I have see what and where anything has been downloaded. Neither what software started the download.
     

    Attached Files:

    Last edited: Mar 28, 2007
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: What kind of attack is this?

    Hey, I have read a very very similar post here few days back? Can anybody point to it?
     
  6. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Re: What kind of attack is this?

    Ah..sorry. I forgot that I posted about this here at wilders already (I thought I posted it at another forum). I asked if malware can disguise network traffic from windows. I believe it is this thread you are thinking about:

    https://www.wilderssecurity.com/showthread.php?t=169734

    Moderator can merge this thread with it if he/she want to.

    Sorry about this mixup
     
  7. Menorcaman

    Menorcaman Retired Moderator

    Joined:
    Aug 19, 2004
    Posts:
    4,661
    Location:
    Menorca (Balearic Islands) Spain
    Re: What kind of attack is this?

    Not a problem. Threads now merged.

    Regards

    Menorcaman
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi sukarof,
    Any update on your attack?

    Are you behind router and when you say download, what is actually happening? - If you bring up the status of that connection, in activity, is it that you are recieving (and sending) packets continually which are steadily and uniformly increasing?
     
  9. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Sorry for the late reply. No, I just blocked the ports and forgot about it.
    Today I reinstalled Look´n´stop and suddely it came back.

    If I do a whois on the IP (this time it is 25.194.33.233) I dont know if I should be scared or ammused :blink: :
    Its the same ports as before: destination 2002 and source 50000 it just keeps hammering with 10 connection attempts every second in the log, until I block the ports with Looknstop, or rather make a block rule and tell it not to log.

    This is what I see in the LnS log about the packets.

    o_O
     
    Last edited: Apr 15, 2007
Loading...
Thread Status:
Not open for further replies.