Tracking spyware and probes

In this issue, I’d like to share with you a recent exchange I had with a friend of mine whose system seems to have been infected with spyware. Hopefully, this case study will help you when you examine your own systems.

My original response contained all the names and phone numbers - but in the text below I am suppressing the details to avoid causing problems for the system administrators of the site the software is trying to reach.

My friend wrote:

" Zone Alarm has been sending me the following message approximately 25 times a day: ‘The firewall has blocked Internet access to xxx.10.106.149 (NetBIOS Datagram) from your computer.’ "

And this is my response:

Yes, it certainly sounds like there is software on your system that is trying to communicate with xxx.10.106.149.

According to the " Computer Desktop Encyclopedia " (1999, The Computer Language Co. Inc.), NetBIOS is "the native networking protocol in DOS and Windows networks. Although originally combined with its transport layer protocol (NetBEUI), NetBIOS today provides a programming interface for applications at the session layer (Layer 5). NetBIOS can ride over NetBEUI, its native transport, which is not routable, or over TCP/IP and SPX/IPX, which are routable protocols. NetBIOS computers are identified by a unique 15-character name, and Windows machines (NetBIOS machines) periodically broadcast their names over the network so that Network Neighborhood can catalog them. For TCP/IP networks, NetBIOS names are turned into IP addresses via manual configuration in an LMHOSTS file or a WINS server."

Why your system should be attempting name resolution by sending data to an IP address outside your little home network is a mystery to me.

[My friend had retrieved the name of the site corresponding to the IP address; I went a step further and used Sam Spade 1.14 -- available free from http://www.samspade.org/ssw/ -- to run an IP block lookup and get the contact information for the site coordinator. In this section of my response, I encouraged my friend to call the coordinator at once to discuss this matter without being hostile, as the site administrators may be completely unaware of the scans and be victims of criminal hackers. I passed along the registrant information from the WHOIS database and encouraged my friend to contact the registrant as well.]

Be sure that your firewall has enabled logging, and send the company a copy of some of the log records showing the attempted outbound data transfer.

You might also want to contact your firewall technical support for additional ideas on how to figure out this peculiar behavior.

You asked, " Should I be concerned that this organization is trying to obtain information from my computers without my knowledge for undisclosed purposes? "

Yes, in principle. This could be "spyware" as described in detail on Steve Gibson's site. Visit http://grc.com/optout.htm to read about spyware. Such software can be installed without your permission when you download various utilities, such as cute cursors for kids. Other nonspyware software can periodically attempt to update itself; for example, the Windows 98 Update feature checks an address at Microsoft eveery five minutes once you enable it (and you can't turn it off without uninstalling it). Is it possible that you have installed software from the company involved and don't remember? All the more reason to find out what the company does or provides.

You also asked, "Is there any way that I can find and remove the file that is generating this NetBIOS command?"

Yes, Steve Gibson's "optout" software (a "parasite sweeper") will locate and help you remove software that initiates outbound communications without your permission. The software is available for download free at:

http://grc.com/optout.htm

The file will download immediately and needs no unpacking. You can put it in a folder such as "C:\Program Files\GRC" to keep your directories organized.

" Should I permanently close access to the port (138) that is being used for this operation and if so, how? "

Yes, there is no harm in setting a rule for your firewall that precludes all communications with xxx.10.106.149. If you change your needs later you can always remove the rule.

" So far, my physical and virtual barriers are blocking its exit, so it is not a serious worry. Nonetheless, I would rather that access to my system be as restricted as possible. "

I agree. I receive hostile probes several times a day from a variety of IP addresses, probably originating in automated scanners looking for hosts to infect with distributed denial-of-service "zombie" programs. These are trying to initiate inbound connections. When my system is probed, I routinely close all future access to the particular IP address for all services/ports and enable logging to track future events involving that IP address. The log file records can be useful if an ISP needs them to identify which user was initiating the probes at a particular time.

This story, "Tracking spyware and probes " was originally published by Network World.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies