Spurious NBNS traffic
July 26, 2009 5:51 AM Subscribe
There's probably a virus on my laptop, how can I identify it?
I noticed in Vista's perfmon that there is traffic originating from the "System" process even while no processes with net access where running.
In Wireshark I see lots of reverse dns lookups and NBNS traffic. The NBNS seems to only send "NBTSTAT *", which seems to be a test on the NBNS services of other machines. Destination is port 137 of about 30 different IP addresses over a 5 minute period. The IP addresses are all over the world, Russia, Argentina, Japan, etc.
This is a Vista SP1 with all updates, AVG does not detect anything, F-Secure Blacklight neither.
I turned off Netbios in the TCP properties, and the traffic stopped completely.
Any ideas of what this could be? I'm also interested in how you would troubleshoot this assuming that no automatic tool can detect it - I've got my copy of Windows Internals besides me and windbg installed, but don't really know what to look for.
I noticed in Vista's perfmon that there is traffic originating from the "System" process even while no processes with net access where running.
In Wireshark I see lots of reverse dns lookups and NBNS traffic. The NBNS seems to only send "NBTSTAT *", which seems to be a test on the NBNS services of other machines. Destination is port 137 of about 30 different IP addresses over a 5 minute period. The IP addresses are all over the world, Russia, Argentina, Japan, etc.
This is a Vista SP1 with all updates, AVG does not detect anything, F-Secure Blacklight neither.
I turned off Netbios in the TCP properties, and the traffic stopped completely.
Any ideas of what this could be? I'm also interested in how you would troubleshoot this assuming that no automatic tool can detect it - I've got my copy of Windows Internals besides me and windbg installed, but don't really know what to look for.
You really should try Malwarebytes. It's saved me from a few nasty processes that were otherwise a nightmare to remove by hand.
Also, it's free!
posted by jtoth at 7:07 AM on July 26, 2009
Also, it's free!
posted by jtoth at 7:07 AM on July 26, 2009
Malwarebytes Malwarebytes Malwarebytes!
It really is a great program, and has been my go-to for things like this for the past year or so.
posted by The Michael The at 7:58 AM on July 26, 2009
It really is a great program, and has been my go-to for things like this for the past year or so.
posted by The Michael The at 7:58 AM on July 26, 2009
Just start piling them on. Malwarebytes, SpywareTerminator, NOD32. If it's a rootkit, though, don't expect ANY of them to turn up anything at all.
http://www.antirootkit.com/software/index.htm
I'd start with Gmer.
posted by cyniczny at 8:08 AM on July 26, 2009
http://www.antirootkit.com/software/index.htm
I'd start with Gmer.
posted by cyniczny at 8:08 AM on July 26, 2009
Response by poster: Thanks for the links, I'm currently running Malwarebytes to see if it turns up anything.
However, I'm really more interested in an analytical approach than on throwing a bunch of different scanners at the problem. There must be a way to tell windbg to show me the call stack at the moment the port was opened, for example - that's more the kind of information I'm currently interested in.
posted by dhoe at 8:24 AM on July 26, 2009
However, I'm really more interested in an analytical approach than on throwing a bunch of different scanners at the problem. There must be a way to tell windbg to show me the call stack at the moment the port was opened, for example - that's more the kind of information I'm currently interested in.
posted by dhoe at 8:24 AM on July 26, 2009
Try Process Explorer from Sysinternals.
1) Bring up Properties for the System process.
2) Switch to the TCP/IP tab.
3) Select a connection.
4) Hit the Stack button.
This should display the thread stack at the time the port was opened.
posted by shinybeast at 8:48 PM on July 26, 2009
1) Bring up Properties for the System process.
2) Switch to the TCP/IP tab.
3) Select a connection.
4) Hit the Stack button.
This should display the thread stack at the time the port was opened.
posted by shinybeast at 8:48 PM on July 26, 2009
Response by poster: Shinybeast, that doesn't work (by design) on Vista with the "System" process.
posted by dhoe at 10:59 PM on July 26, 2009
posted by dhoe at 10:59 PM on July 26, 2009
AFAIK if this is a standard rootkit, the only way to figure out if something's running is to export out your registry and then do a compare between the file-ized registry versus lookups of the actual registry - any discrepancies between the two indicate that something nasty is trying to pull the wool over your eyes by obfuscating registry entries - autostart etc. Check out SysInternals' RootkitRevealer to see what I mean.
posted by cyniczny at 8:27 AM on August 4, 2009
posted by cyniczny at 8:27 AM on August 4, 2009
This thread is closed to new comments.
It's not an automatic tool, but if you submit it to forums at Bleeping Computer (http://www.bleepingcomputer.com/forums/forum22.html), someone there can help with the analysis. Also, there are some HijackThis automated analyzers at, say, http://hjt.networktechs.com/, which can be a first cut, but if you suspect something real, then it's best to have a human take a look.
posted by chengjih at 6:54 AM on July 26, 2009