Trojan hunter phone home? - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Aug 28^th, 2008, 1:54pm

   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Guard (Moderators: Helena, Gavin_Coe, Magnus)
   Trojan hunter phone home?

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Trojan hunter phone home? (Read 627 times)

mugwump
Newbie

Posts: 2

Trojan hunter phone home?
« on: Oct 17^th, 2005, 5:42am »

Quote

Modify

Hi,

Apologies if this question has been asked elsewhere, I have read the FAQ, searched this forum and google but have not found any answers.

I yesterday installed trojanhunter (and the guard) as a trial.

Since then my firewall has identified and blocked several outbound connections on port 80 to various internet hosts, some of which do not have DNS entries but in all cases seem to be in a netblock belonging to akamai (who host thousands of sites for people such as microsoft and many others).

No program is identified in the firewall logs.

Sysinternals TCPview lists the activating program as [System Process]:0

netstat -o shows the owning process of the connection to be 0 also

I have scanned the PC in question using pestpatrol, Ad-aware and of course trojanhunter all of which draw a blank ( Kiss

this is not strictly true; trojanhunter did find OnTarget.100, RiskWare.NetCat.100 and Worm.nohoper.100 in 3 *files* but not active in *memory*, these are there deliberately for a network security training course. Kiss

)

My question is - does trojanhunter perform some kind of "dynamic update check" or phone home as this only started after I installed the application. (trojanhunter directory creation time on my PC 09:29 yesterday, first blocked connection initiated 09:42)

Are these connections anything to do with your application?
What seems to confirm it is that if I unload trojanhunter guard and reload it about 10 seconds after initiation I receive another firewall alert. Please can you help to explain this behaviour. Is it normal? What is the application trying to do by opening this connection?

I have pasted 2 logs below,a section of the alert log showing the connections and the packet log showing them dropped.

2005/10/16,10:58:30 +1:00 GMT,<my ipaddress>:3027,82.71.193.214:80,TCP (flags:S)
2005/10/16,10:58:34 +1:00 GMT,<my ipaddress>:3030,82.71.193.214:80,TCP (flags:S)
2005/10/16,10:59:42 +1:00 GMT,<my ipaddress>:3033,82.71.193.199:80,TCP (flags:S)
2005/10/16,11:00:08 +1:00 GMT,<my ipaddress>:3036,82.71.193.199:80,TCP (flags:S)
2005/10/16,19:15:46 +1:00 GMT,<my ipaddress>:3304,82.71.193.199:80,TCP (flags:S)
2005/10/16,19:21:16 +1:00 GMT,<my ipaddress>:3307,82.71.193.214:80,TCP (flags:S)
2005/10/16,19:21:26 +1:00 GMT,<my ipaddress>:3310,82.71.193.214:80,TCP (flags:S)
2005/10/16,19:30:46 +1:00 GMT,<my ipaddress>:3313,82.71.193.214:80,TCP (flags:S)
2005/10/16,19:36:16 +1:00 GMT,<my ipaddress>:3316,82.71.193.214:80,TCP (flags:S)
2005/10/16,19:36:26 +1:00 GMT,<my ipaddress>:3319,82.71.193.199:80,TCP (flags:S)
2005/10/16,19:51:26 +1:00 GMT,<my ipaddress>:3326,81.52.205.6:80,TCP (flags:S)
2005/10/16,20:21:16 +1:00 GMT,<my ipaddress>:3336,194.158.114.105:80,TCP (flags:S)
2005/10/16,20:21:26 +1:00 GMT,<my ipaddress>:3339,194.158.114.105:80,TCP (flags:S)
2005/10/16,20:41:58 +1:00 GMT,<my ipaddress>:3346,194.158.114.110:80,TCP (flags:S)
2005/10/16,20:42:48 +1:00 GMT,<my ipaddress>:3349,194.158.114.105:80,TCP (flags:S)
2005/10/16,21:25:38 +1:00 GMT,<my ipaddress>:3371,82.71.193.214:80,TCP (flags:S)
2005/10/16,21:25:44 +1:00 GMT,<my ipaddress>:3374,82.71.193.214:80,TCP (flags:S)
2005/10/16,21:36:18 +1:00 GMT,<my ipaddress>:3377,82.71.193.199:80,TCP (flags:S)
2005/10/16,21:36:28 +1:00 GMT,<my ipaddress>:3380,82.71.193.199:80,TCP (flags:S)
2005/10/16,21:51:18 +1:00 GMT,<my ipaddress>:3383,82.71.193.199:80,TCP (flags:S)
2005/10/16,22:21:20 +1:00 GMT,<my ipaddress>:3603,194.158.114.110:80,TCP (flags:S)
2005/10/16,22:21:30 +1:00 GMT,<my ipaddress>:3606,194.158.114.110:80,TCP (flags:S)
2005/10/16,22:55:46 +1:00 GMT,<my ipaddress>:3620,194.158.114.110:80,TCP (flags:S)

Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.199 SrcPort: 3181 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.214 SrcPort: 3186 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.199 SrcPort: 3231 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.214 SrcPort: 3234 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.214 SrcPort: 3237 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.214 SrcPort: 3240 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.214 SrcPort: 3258 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.199 SrcPort: 3261 DstPort: 80
Packet DROPPED: Proto: IP_TCP Flags: 0x00000005 Src: <my ipaddress> Dest: 82.71.193.199 SrcPort: 3264 DstPort: 80

Your help and advice is appreciated, thanks.

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4092

Re: Trojan hunter phone home?
« Reply #1 on: Oct 17^th, 2005, 6:25am »

Quote

Modify

TrojanHunter only accesses the Internet if you run LiveUpdate to update its rule files. It definitely does not attempt to go online in any other cases.

IP Logged

mugwump
Newbie

Posts: 2

Re: Trojan hunter phone home?
« Reply #2 on: Oct 17^th, 2005, 8:03am »

Quote

Modify

Hi,

Thankyou for the prompt response, I shall continue investigating elsewhere. Its useful to know I dont need to continue looking in this area.

Just going through killing/starting processes one by one and waiting till I find the one responsible.

Thanks again.

IP Logged