Hi! Problems with random IGMP multicasts

Discussion in 'other security issues & news' started by Faraway64d, Oct 17, 2011.

Thread Status:
Not open for further replies.
  1. Faraway64d

    Faraway64d Registered Member

    Joined:
    Oct 17, 2011
    Posts:
    2
    Hello and nice to be here!

    I'm having an issue with extremely bizarre network behavior on my computer. I would really appreciate your advice on this matter.

    A few weeks ago, seemingly out of the clear blue sky, COMODO firewall began reporting attempts by random applications (so far, Wireshark, Itunes, Foxit Reader, Explorer, an Svchost process and more) to connect to 224.0.0.22 -- which after some research, I now understand is a multicast group. The problem is three-fold: 1) I never deliberately joined a multicast group, nor am I aware of any of my applications that require multicasting 2) I've disabled internet access in a lot of these programs and they have no business trying to access the LAN or WAN, and 3) I was under the impression that you needed to enable IPv6 to use multicasting; I never deliberately enabled IPv6 on either my computer or in my router, so I don't know what's going on there.

    Around this time, my hotmail account was cracked -- not spoofed, cracked. I don't know how they got the password still. I deleted all partitions & did a fresh install, but the problem persisted.

    However, the reinstall brought more weirdness. When I got fed-up & blocked the IGMP entirely protocol with Comodo, then some applications started trying to access to loopback zone o_O (ex: when a program is opened, I get this alert 127.0.0.1:5xxxx => 127.0.0.1:2xxxx) . Itunes did this only once, but Handbrake does this every time I open it. Wireshark reports that SYNs to ports in the loopback are not acknowledged (I captured these traces with RAWCap).

    My computer was not doing this a few weeks ago. Either something has altered my network configuration (an update maybe), or some worm or rootkit is evading me. So far, I've checked my host file, firewall and router logs for suspicious entries; I've run Kapersky TDSS Killer, Sophos Anti-rootkit, Avast Antirookit, Avira, Combofix and MBAM -- nada. So far, I've used Process Explorer & Process monitor with stack analysis to explore whether something is hooking into these programs to make them send these requests. I can't find any unusual network activity with TCPview or Wireshark, but my networking knowledge is VERY basic and I am not confident analyzing the data. The only incoming connections seem to be solicited, but it's what something could be sending OUT that's worrying me. What should I be looking for?

    I'm pretty computer savvy, but this is beyond me. If I can provide any helpful info to get to the bottom of this just ask. My next (desperate and undesirable) step is going to be to wipe the drive to make sure no MBR code survives. Thanks! :D

    -----------------------------------
    System Windows 7 x64
    Comodo Firewall (free)
    Avira 2012 (free)
    Using Wireless 802.11N
    DSL Router (in bridge mode, serving as a dumb modem) => Linksys Router (gateway, running TomatoUSB 2.6) => WLAN/LAN
     
    Last edited: Oct 17, 2011
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Did you try an Antivirus Rescue CD (Avira, Kaspersky, Dr.Web, BitDefender, etc.)? It is my understanding that an Antivirus Rescue CD has a better chance of detecting rootkits since Windows is not running during the scan.

    I would try to be "Safe" for a "Peace of Mind":

    1. Backup critical files.
    2. Wipe the entire hard drive from bootable media to make sure that any Malware does not try to mess with the wipe process.
    3. Partition the hard drive, format, install Windows, etc.

    It sure would be nice if you had a hard drive Image to Restore.

    There is a list of Antivirus Rescue CD's with links here:

    https://www.wilderssecurity.com/showpost.php?p=1956612&postcount=7
     
    Last edited: Oct 17, 2011
  3. Faraway64d

    Faraway64d Registered Member

    Joined:
    Oct 17, 2011
    Posts:
    2
    Thanks for the reply! I'll give the Avira Rescue CD a shot to eliminate a bootkit. I also have a few other offline scanners I could try. If this is a case of malware or exploit, it has to be new and extremely nasty to make it past all of the av's I've mentioned.

    I'm also going to turn Comodo's Defense engine on to see if it notices any parent applications initiating this behavior in other apps.

    Do you have any advice on how I can make better sense of these multicast and loopback connections? I'll have some captures ready to upload tomorrow in case anyone wants to view them.
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I have never used a Network Analysis Tool, but here is a list of free Network Analysis Tools. I hear that Wireshark is one of the best.

    http://www.techsupportalert.com/best-free-network-analysis-tools.htm

    Watch the Wireshark Videos and Presentations here:

    http://www.wireshark.org/

    You may want to scan with more than one Antivirus Rescue CD since one may detect a rootkit that another won't detect. Avira is the fastest at scanning and Dr.Web the slowest (very slow). I would also scan with both the Kaspersky and BitDefender Antivirus Rescue CD's.

    I have heard that Hitman Pro is good at detecting and removing many rootkits. Hitman Pro needs an active Internet connection to work properly since it is "cloud" based. Read through the following Malware Removal Guide.

    http://www.selectrealsecurity.com/malware-removal-guide
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.