Malware - Technical anlaysis
- by nullptr
Note: Please do not mod down or close. Im not a stupid PC user asking to fix my pc problem. I am intrigued and am having a deep technical look at whats going on.
I have come across a Windows XP machine that is sending unwanted p2p traffic.
I have done a 'netstat -b' command and explorer.exe is sending out the traffic. When I kill this process the traffic stops and obviously Windows Explorer dies.
Here is the header of the stream from the Wireshark dump (x.x.x.x) is the machines IP.
GNUTELLA CONNECT/0.6
Listen-IP: x.x.x.x:8059
Remote-IP: 76.164.224.103
User-Agent: LimeWire/5.3.6
X-Requeries: false
X-Ultrapeer: True
X-Degree: 32
X-Query-Routing: 0.1
X-Ultrapeer-Query-Routing: 0.1
X-Max-TTL: 3
X-Dynamic-Querying: 0.1
X-Locale-Pref: en
GGEP: 0.5
Bye-Packet: 0.1
GNUTELLA/0.6 200 OK
Pong-Caching: 0.1
X-Ultrapeer-Needed: false
Accept-Encoding: deflate
X-Requeries: false
X-Locale-Pref: en
X-Guess: 0.1
X-Max-TTL: 3
Vendor-Message: 0.2
X-Ultrapeer-Query-Routing: 0.1
X-Query-Routing: 0.1
Listen-IP: 76.164.224.103:15649
X-Ext-Probes: 0.1
Remote-IP: x.x.x.x
GGEP: 0.5
X-Dynamic-Querying: 0.1
X-Degree: 32
User-Agent: LimeWire/4.18.7
X-Ultrapeer: True
X-Try-Ultrapeers: 121.54.32.36:3279,173.19.233.80:3714,65.182.97.15:5807,115.147.231.81:9751,72.134.30.181:15810,71.59.97.180:24295,74.76.84.250:25497,96.234.62.221:32344,69.44.246.38:42254,98.199.75.23:51230
GNUTELLA/0.6 200 OK
So it seems that the malware has hooked into explorer.exe and hidden its self quite well as a Norton Scan doesn't pick anything up.
I have looked in Windows firewall and it shouldn't be letting this traffic through.
I have had a look into the messages explorer.exe is sending in Spy++ and the only related ones I can see are socket connections etc...
My question is what can I do to look into this deeper?
What does malware achieve by sending p2p traffic?
I know to fix the problem the easiest way is to reinstall Windows but I want to get to the bottom of it first, just out of interest.
Edit:
Had a look at Deoendency Walker and Process Explorer.
Both great tools. Here is a image of the TCP connections for explorer.exe in Process Explorer http://img210.imageshack.us/img210/3563/61930284.gif