This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I determine if ip is compromised?

0

I recently installed Wireshark on my computer after having a major security breach. I have run several scans on my computer including Malwarebytes, Superantispyware, CC cleaner, adw cleaner, McAfee Life save, and windows defender. Still, when I open Wireshark, it would appear there is still an exchange of packets with ip address all over the USA and a couple in Hong Kong (found via iplocation.net). I looked up some of these iPs on mxtoolbox.com, and none were blacklisted, so that is somewhat reassuring. Still, I wonder if this traffic is malicious or not? Is there any surefire way to tell? Is there someone I can trust to share the captured packet exchange with?

asked 08 Nov '16, 22:29

bmgguy's gravatar image

bmgguy
6114
accept rate: 0%


2 Answers:

2

If you had a "major security breach" you should consider to reinstall your workstation / server from scratch. If the attacker had administrative rights on your computer, it is very hard to identify all the activities on the computer.

Installing Wireshark on a compromised system is often useless: Several malware families will change their behavior when they see signs of an ongoing analysis. They will detect and react to software like Wireshark or Sysinternals tools.

Running Malware bytes or Anti Virus will not really help: Many malware families have the ability to download and run additional programs. Regular malware / crimeware that is found in any spam honeypot can evade a virus scanner for a week, sometimes longer.

A serious attacker will store malware outside of the Windows file systems. Typical candidates are the Master Boot Record, unpartitioned areas of the hard disk or even the BIOS. The somewhat outdated TDL4 or the more recent Lighteater are two of more elaborate programs.

As far as the traffic is involved, this can be part of a routine traffic. All Windows systems pull down patches, query the status of SSL certificates or update virus patterns. Your application mix might add extra packets. Messaging applications like Skype are known to send packets to a surprisingly large number of seemingly random destination IP addresses.

A full analysis would be a major consulting job. Again: The best advise is to reinstall the system from scratch.

Good hunting

answered 09 Nov '16, 09:31

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Thanks packethunter

This is just a personal pc we are talking about. I was thinking about running a full factory reset to give me piece of mind. Is this what you mean by a re-install?

(09 Nov '16, 10:41) bmgguy
2

Full factory reset of a notebook PC actually means a re-install from some hidden installation partition; the question is whether it is hidden enough that the malware couldn't find and infect it.

So if you cannot install the OS from an external R/O media, the "full factory reset" may not be a guarantee that you get rid of the infection.

(09 Nov '16, 13:22) sindy
1

Sindy hit the nail right on the head. You want to use a CD-ROM/DVD or other read-only media. Or a recovery image that was created before the infection.

(09 Nov '16, 13:58) packethunter

I have the full system reset going atm. Does this not wipe the entire hard drive and build up again from scratch? I think this may wipe any recovery save on the computers recovery disk. Thankfully I have the system backed-up a few months prior to the incident on an external hard drive. Do you suggest I restore the system from the external hard drive? Should I contact Microsoft and ask them to send me a read-only version of the OS?

Another idea I had was upgrading to windows 10 once the system reset is complete. The default OS for this machine is windows 8 which is less than desirable. Not sure how this upgrade might impact things.

Also meant to add this is not a notebook PC. This an hp all-in-one desk top

(09 Nov '16, 14:34) bmgguy
1

this is not a notebook PC. This an hp all-in-one desk top

It is not important what the hardware looks like mechanically. It is important whether the media on which the image used for "full factory reset" were connected to the machine while the malware was active, which is the case for most contemporary workstations which are shipped pre-installed, and whether the embedded recovery media are write-protected enough that the malware could not bypass that write-protection. The hardware vendor should be able to give you details about this (but they may use a pink filter) and, more important, tell you how to check integrity of the image if you boot from external R/O media. Any such check performed while booted from the compromised media may be "improved" by the malware.

If you have made a recovery image yourself on some RW media (an external USB HDD as an example) prior to getting infected, the key to success is that those media would have never been connected to the machine after it got infected. So to use that image for recovery, you need to boot from R/O media first, otherwise the malware will activate at boot, survive in RAM and infect both the recovered system and the recovery image.

(10 Nov '16, 01:53) sindy

Thanks all for you help. Just to give the story a somewhat happy ending. I took the computer to a local Best Buy (comp store) and they wiped the Hard drive and reloaded the OS from one of their many USBs. Should be good to go know I would think.

Wireshark has been an informative tool and I plan to use it from time to time again

(10 Nov '16, 13:53) bmgguy
showing 5 of 6 show 1 more comments

1

Try to write down these suspected IPs and then use Sysinternals TCPView or Procmon utility to figure out what exact Windows process is initiating them. Also you can look through these flows ("follow TCP/UDP stream" feature) to spot if there any clear-text data inside of them.

answered 09 Nov '16, 00:42

Packet_vlad's gravatar image

Packet_vlad
4361613
accept rate: 20%

edited 09 Nov '16, 00:43

Thanks for the response.

I installed TCPView, and it was somewhat helpful. I don't see any illicit remote addresses that have established communications with my pc.

SO final question is then is it normal to have a little bit of 'data' (~1% of packets) in the protocol hierarchy under each of TCP, IPV4, TCP? When I filter for the 'data' from the hierarchy, none of the communications appear illicit. Occasionally there is some kind of packet with [TCP Keep-Alive] in it. Otherwise, it just seems to be exchanges between my computer and my ISP. Some of the youtube videos I watched on WireShard we saying that seeing this 'data' under the protocol hierarchy is bad, but perhaps just seeing a lot of it, like >5% of packets perhaps is a sign for concern?

Thanks again

(09 Nov '16, 10:26) bmgguy