This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Possible malware on network

1
1

Some windows machine on our network is constantly broadcasting UDP packets to the port numbers 10019 and 10007. It also constantly changes its source port number. Seems suspicious to me, although I can't find any information of malware having this behavior.

The content of the packages is always the same:

0000   f0 ff 00 00 12 00 00 00 00 00 00 00 00 00 00 00  ................
0010   37 34 2d 65 35 2d 30 62 2d 61 66 2d 65 66 2d 32  74-e5-0b-af-ef-2
0020   30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  0...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                  ................

Any thoughts?

asked 02 Jun '12, 09:59

billybob's gravatar image

billybob
21124
accept rate: 0%

Any updates on this one ? I just saw this thing happen on one of my networks and the only info I could find is this thread. I do not have physical access to that PC (guest laptop) but it looks highly suspicious.

(03 Jul '12, 06:08) docdocdoc9

can you please post a full capture of the traffic on cloudshark.org?

(03 Jul '12, 06:26) Kurt Knochner ♦

Sure thing - http://www.cloudshark.org/captures/a7174265ab29 It broadcasts every second...

There are also a suspicious LAN scan mixed in but I traced that back to McAfee (https://community.mcafee.com/thread/27750). The broadcasts seem to be unrelated.

(04 Jul '12, 02:37) docdocdoc9

5 Answers:

3

If I'd think that that kind of traffic is not to be expected as part of normal day to day operations, I would try to identify the machine first. You have the sending MAC address, so you can track it down by searching for it in the MAC address tables of your Switches. You might find that it lives on a port with a lot of other MAC addresses, which usually means that it is coming in from another switch - which means you have to track it down on the next switch and so on, until you find the definitive port. Then track the cabling to the PC that is connected at that port.

On the PC, run netstat -ano or netstat -anb in a command prompt window. Both tell you either the process ID of the program using the strange ports (which you can identify in the task manager or in Process Explorer), or even the name of the binary directly. From that on, you should be able to tell what is happening, and if the program is bad or not.

answered 02 Jun '12, 10:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I've tracked down the computer, and ran the command you told me. However, I can't find the udp port numbers listed in netstat. I think the best thing to do will be restoring a backup. Thanks for the help anyhow!

(02 Jun '12, 10:42) billybob

if it's UDP you will only see a process with netstat if it does a listen on that port. You won't see a process that's just sending data via UDP. You could install Microsoft Network Monitor 3.4. It's comparable to wireshark (with less/other features). Netmon will show the name and PID of the process that created the UDP packet. Maybe that helps to track down what is causing the broadcast traffic.

(02 Jun '12, 13:06) Kurt Knochner ♦

0

You could also look into a couple of SysInternals tools, Process Monitor and TCPView, which despite the name does handle UDP as well.

answered 03 Jun '12, 03:45

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

I would also try looking at wireshark output from another machine, maybe booting from a livecd and see if there is any communication from that possibly infected PC.

answered 03 Jun '12, 13:19

pluribus's gravatar image

pluribus
1446
accept rate: 0%

0

Sure thing - http://www.cloudshark.org/captures/a7174265ab29 It broadcasts every second...

I believe this could be the Steam Network client (a games network). I found several hints about very similar behaviour.

http://community.norton.com/t5/Norton-Internet-Security-Norton/Steam-games-setting-off-NIS-2009-Intrusion-Prevention-system/td-p/93317
http://community.norton.com/t5/Norton-360/Left-4-Dead-Portscan/m-p/93102

Logs from a Team Fortress 2 log server:

www.tf2logs.com/logs/6815/logfile

L 12/05/2011 - 19:30:26: "Susan Kelley<8><STEAM_0:0:39787289><>" connected, address "255.255.255.255:10019"

Please check if the Steam client is installed on the computer (192.168.8.192) who is sending those packets.

Search the disk for steam.exe and/or steam.dll.

Regards
Kurt

answered 04 Jul '12, 10:22

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Jul '12, 10:22

0

Hello,

I found following:

(on a PC Dell inspiron windows seven 64 bits)

process C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe is the one who is responsible for sending those UDP frames on ports 10007 and 10019 every second.

this process is part of program "dell stage remote" (by arcsoft)

more info about it: (in french) http://content.dell.com/fr/fr/corp/d/press-releases/2011-07-27-nouvelle-version-de-stage

i do not need it, and i could not find how to set it to off in windows services manager, so i inhibate it with following workaround:

rename file C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService-DoNotRun.exe

answered 05 Nov '12, 03:06

bcat's gravatar image

bcat
1
accept rate: 0%

Dell Stage Remote is a music/video streaming software.

http://www.arcsoft.com/intouch/dellstageremote/index.asp?languageCode2=EN

(05 Nov '12, 04:24) Kurt Knochner ♦