EKRN.EXE wanted to send my PIN NUMBER

Discussion in 'ESET NOD32 Antivirus' started by henrytyler, Jan 23, 2008.

Thread Status:
Not open for further replies.
  1. henrytyler

    henrytyler Registered Member

    Joined:
    Jan 23, 2008
    Posts:
    2
    I got a warning from Zone Alarm Firewall that EKRN.EXE wanted to send my PIN NUMBER to 102.112.2o7.net by using EKRN.EXE.

    I am a relative novice compared to you guys........but has anybody else had this happen??

    Henry
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    This can get a little complicated, so let's start from the beginning and step through it.

    First of all, starting in NOD32 v3, EKRN.EXE by default proxies all Internet traffic for your webbrowsers and email clients. That simply means that all data going out and coming back from the Internet passes through NOD32 to be scanned for malware. EKRN.EXE does this on behalf of your browser and email clients, so there is no surprise there.

    Second, the ID Lock feature in Zone Alarm also watches data going out from your PC so that it can scan for any data patterns you tell it to watch for. It seems that you entered your PIN number into the ZA vault so that it could watch for it in any data going out from your PC.

    Now, the alert you got simply says that the data pattern that is also your PIN number was seen in the data stream going out to a particular website and the program transmitting it was EKRN.EXE. There are a lot of possibilities here...

    First, and most common, is that it wasn't your PIN number specifically, but just the series of numbers that also happens to be your pin. The reason this is an important distiction is as follows. If my PIN number is "1234" and I enter it as a string to be monitored by ZA, then "any" occurrence of the numbers "1234" that go out of my PC will be flagged as an attempt that my PIN number is being communicated. If I try to make a post here that has the text "123456789" in it, it would be flagged as containing my PIN.

    When you communicate on the web, a whole lot of data is transmitted. Numbers in particular are constantly being sent out in data packets. So, monitoring for a fairly simple number, like PIN number, last 4 digits of SSN or anything like that, is very likely to cause false detections - i.e. flagging data that really isn't an attempt to get your private data, but just that contain that same pattern of data.

    That's a very likely reason for such an alert to happen. EKRN.EXE doesn't know your PIN, so it has no way to go and find it on your PC, then try to communicate it to some website.

    Now, I said that is the most common reason for alerts like that, i.e. a false detection from the ZAP ID Lock feature. There are lots of old threads in our other firewalls section from when that feature was first introduced and people were getting alerted to PINs and SSN segments being sent out of their PCs. However, there is also the chance that it was a valid detection...

    As I said above, NOD32 acts as a proxy now, so, all data going out while you browse is passing through EKRN.EXE before leaving your PC. The fact that ZA identifies 102.112.2o7.net as the target is very telling. "2o7.net" is a web analytics services. They are used by many commercial websites to track usage patterns and other statistics about their website visitors. And unfortunately, a lot of financial services use 2o7.net to track usage of their sites. For example, I use Discover Card and their login screen and account maintenance pages all link to 2o7.net.

    It would be very interesting to know exactly what website you were accessing when the alert came up. If we check that site, we'd probably find they use the 2o7.net tracking service.

    As for why it was alerting on "your PIN", unless you were actually using your PIN at a financial website at that moment, its still most likely that ZA simply saw a short series of numbers, that also happen to be your PIN number, in a data packet being sent to the 2o7.net web tracking service.
     
  3. henrytyler

    henrytyler Registered Member

    Joined:
    Jan 23, 2008
    Posts:
    2
    Thanks a million " LowWaterMark"...........for your knowledge. It put me at ease that nothing sinister is lurking..........

    Henry:thumb:
     
Thread Status:
Not open for further replies.