February 27, 2001, 11:21 AM — In this issue, Id like to share with you a recent exchange I had with a friend of mine whose system seems to have been infected with spyware. Hopefully, this case study will help you when you examine your own systems.
My original response contained all the names and phone numbers - but in the text below I am suppressing the details to avoid causing problems for the system administrators of the site the software is trying to reach.
My friend wrote:
" Zone Alarm has been sending me the following message approximately 25 times a day: The firewall has blocked Internet access to xxx.10.106.149 (NetBIOS Datagram) from your computer. "
And this is my response:
Yes, it certainly sounds like there is software on your system that is trying to communicate with xxx.10.106.149.
According to the " Computer Desktop Encyclopedia " (1999, The Computer Language Co. Inc.), NetBIOS is "the native networking protocol in DOS and Windows networks. Although originally combined with its transport layer protocol (NetBEUI), NetBIOS today provides a programming interface for applications at the session layer (Layer 5). NetBIOS can ride over NetBEUI, its native transport, which is not routable, or over TCP/IP and SPX/IPX, which are routable protocols. NetBIOS computers are identified by a unique 15-character name, and Windows machines (NetBIOS machines) periodically broadcast their names over the network so that Network Neighborhood can catalog them. For TCP/IP networks, NetBIOS names are turned into IP addresses via manual configuration in an LMHOSTS file or a WINS server."
Why your system should be attempting name resolution by sending data to an IP address outside your little home network is a mystery to me.
[My friend had retrieved the name of the site corresponding to the IP address; I went a step further and used Sam Spade 1.14 -- available free from http://www.samspade.org/ssw/ -- to run an IP block lookup and get the contact information for the site coordinator. In this section of my response, I encouraged my friend to call the coordinator at once to discuss this matter without being hostile, as the site administrators may be completely unaware of the scans and be victims of criminal hackers. I passed along the registrant information from the WHOIS database and encouraged my friend to contact the registrant as well.]
Be sure that your firewall has enabled logging, and send the company a copy of some of the log records showing the attempted outbound data transfer.
You might also want to contact your firewall technical support for additional ideas on how to figure out this peculiar behavior.