Spurious NBNS traffic
July 26, 2009 5:51 AM   Subscribe

There's probably a virus on my laptop, how can I identify it?

I noticed in Vista's perfmon that there is traffic originating from the "System" process even while no processes with net access where running.

In Wireshark I see lots of reverse dns lookups and NBNS traffic. The NBNS seems to only send "NBTSTAT *", which seems to be a test on the NBNS services of other machines. Destination is port 137 of about 30 different IP addresses over a 5 minute period. The IP addresses are all over the world, Russia, Argentina, Japan, etc.

This is a Vista SP1 with all updates, AVG does not detect anything, F-Secure Blacklight neither.

I turned off Netbios in the TCP properties, and the traffic stopped completely.

Any ideas of what this could be? I'm also interested in how you would troubleshoot this assuming that no automatic tool can detect it - I've got my copy of Windows Internals besides me and windbg installed, but don't really know what to look for.
posted by dhoe to Computers & Internet (8 answers total) 2 users marked this as a favorite
 
Have you tried HijackThis? http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

It's not an automatic tool, but if you submit it to forums at Bleeping Computer (http://www.bleepingcomputer.com/forums/forum22.html), someone there can help with the analysis. Also, there are some HijackThis automated analyzers at, say, http://hjt.networktechs.com/, which can be a first cut, but if you suspect something real, then it's best to have a human take a look.
posted by chengjih at 6:54 AM on July 26, 2009


You really should try Malwarebytes. It's saved me from a few nasty processes that were otherwise a nightmare to remove by hand.

Also, it's free!
posted by jtoth at 7:07 AM on July 26, 2009


Malwarebytes Malwarebytes Malwarebytes!

It really is a great program, and has been my go-to for things like this for the past year or so.
posted by The Michael The at 7:58 AM on July 26, 2009


Just start piling them on. Malwarebytes, SpywareTerminator, NOD32. If it's a rootkit, though, don't expect ANY of them to turn up anything at all.

http://www.antirootkit.com/software/index.htm
I'd start with Gmer.
posted by cyniczny at 8:08 AM on July 26, 2009


Response by poster: Thanks for the links, I'm currently running Malwarebytes to see if it turns up anything.

However, I'm really more interested in an analytical approach than on throwing a bunch of different scanners at the problem. There must be a way to tell windbg to show me the call stack at the moment the port was opened, for example - that's more the kind of information I'm currently interested in.
posted by dhoe at 8:24 AM on July 26, 2009


Try Process Explorer from Sysinternals.

1) Bring up Properties for the System process.
2) Switch to the TCP/IP tab.
3) Select a connection.
4) Hit the Stack button.

This should display the thread stack at the time the port was opened.
posted by shinybeast at 8:48 PM on July 26, 2009


Response by poster: Shinybeast, that doesn't work (by design) on Vista with the "System" process.
posted by dhoe at 10:59 PM on July 26, 2009


AFAIK if this is a standard rootkit, the only way to figure out if something's running is to export out your registry and then do a compare between the file-ized registry versus lookups of the actual registry - any discrepancies between the two indicate that something nasty is trying to pull the wool over your eyes by obfuscating registry entries - autostart etc. Check out SysInternals' RootkitRevealer to see what I mean.
posted by cyniczny at 8:27 AM on August 4, 2009


« Older Cool wedding venue near Boston   |   What to wear for a reception? Newer »
This thread is closed to new comments.