Bot activity IRC.Foonet.com assitance required

Networking/Security Forums -> Viruses // Worms

Author: monolithLocation: OZ PostPosted: Thu Oct 23, 2008 2:23 pm    Post subject: Bot activity IRC.Foonet.com assitance required
    ----
Greetings everyone

@mods please move post to relevant topic if required

I have stumbled upon some suspicious network activity on a workstation on my Home network.

Unfortunately undetectably by many apps
NOD32 [with latest updates]
Spybot [latest updates]
Hijack this
sysinternals/MS rootkit detection

Here it goes:

While PC does not contain any viruses or malware as scans have come up negative both using Nod32 and Spybot both with latest definitions.

With further investigation using both tcpview and procexp [both sysinternal products] it showed the originator being a process svchost.exe frequently randomizing the port in all available rangers e.g. 1971,1972, 1973 555,556 using UDP protocol.

TCPview reports the remote address being gimmejizz.com:1311 when I first stumbled upon this it would stay a constant connection but has changed to established/disc/syn_sent/established. This was after force terminating the process and along with it the connection. It would not execute the process/connection again until 1-2hrs later.

Have also found as soon the process starts another intermittently svchost.exe executes but makes no external connection from what I can see.

As soon as all traffic is blocked by software based host firewall no more external connect attempts are displayed in either TCPview or wireshark.

Unable to determine what is calling on the svchost process at this stage.

4987 *REF* cogbox.lan gimmejizz.com TCP cplscrambler-in > rxmon [PSH, ACK] Seq=177 Ack=199 Win=65315 Len=22

0000 00 90 d0 1b dc 95 00 1d 7d 03 a9 3e 08 00 45 00 ........}..>..E.
0010 00 3e ee d4 40 00 80 06 9a d9 c0 a8 01 41 55 11 .>..@........AU.
0020 5a 11 04 3f 05 1f d2 94 e1 af 02 fb ef 96 50 18 Z..?..........P.
0030 ff 23 1d b4 00 00 50 4f 4e 47 20 3a 69 72 63 2e .#....PONG :irc.
0040 66 6f 6f 6e 65 74 2e 63 6f 6d 0d 0a foonet.com..

TCP stream:
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com

Further investigation showed external connectiosn to jizzshow.com with randomizing ports [ns2.everydns.net.] >>>>>fiona.everybox.com
Possible this Netblock has been hijacked.

If someone is able to assist that would be great, Would like to be able to learn more about this type of subject.

Monolith[COG]
Australia

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Oct 23, 2008 8:16 pm    Post subject:
    ----
It looks like you are infected. Exclamation

Visit our anti-malware forums for help:
http://www.security-forums.com/viewforum.php?f=48

Author: malwaresupport PostPosted: Wed Apr 01, 2009 5:52 pm    Post subject: Perfect Remedie
    ----
Hello, If you are infected by a bot you should consider downloading Norton Internet Security 2009 trial and running a full scan. This in my expert opinion should remove ALL bots and other infections from your computer.

email me if you require assistance: malwaresupport@hotmail.com

Author: ryansuttonLocation: San Francisco, California PostPosted: Wed Apr 01, 2009 6:56 pm    Post subject:
    ----
Have they improved Norton at all with their 2009 version? I have tried most versions pre-2009 and they were all pigs when it came to eating resources. I also found them to be buggy - IE certain things would not work properly even if disabled the feature in Norton; they would not work properly until I uninstalled Norton.

I've had nothing but bad experiences with Norton.



Networking/Security Forums -> Viruses // Worms


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group