RE: OT : Windows machine sending ICMP echo request (ping)

The ultimate method would be setting up a KDB, set up a breakpoint with some
actions (print, continue, etc.) and trace kernel-to-user mode stack to find
a process from the TDI or NDIS driver. This would require some skills in
debugging. Easier method is to download a trial version of an antivirus
(Kaspersky has it, some other vendors have it too) with per-application
policies (or Cisco Secure Agent, if you have control over client and
server), set up policy to deny ICMP for all applications and then check the
log. You could also deny ping.exe and see if your setup is working.

There is no easy method to trace any packet back to the user mode
application, since they aren't always following the same path to enter
kernel mode and tracing stack back from kernel to user is the only method
that will give you 100% coverage.

HTH,

Adel

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Edouard Zorrilla
Sent: Thursday, July 08, 2010 9:24 AM
To: itguy.pro_at_gmail.com; ccielab_at_groupstudy.com
Cc: security_at_groupstudy.com
Subject: Re: OT : Windows machine sending ICMP echo request (ping)

Thanks,

I have already run malwarebytes and the only thing that I have found is
Hijack.display.properties, which doesn't seem to be anything weird ....,. Do

you know how to track icmp traffic ?. I would like to see which application
is sending this icmp ping traffic .,

Thanks.,

----- Original Message -----
From: <itguy.pro_at_gmail.com>
To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>; <ccielab_at_groupstudy.com>
Cc: <security_at_groupstudy.com>
Sent: Thursday, July 08, 2010 8:08 AM
Subject: Re: OT : Windows machine sending ICMP echo request (ping)

> Sounds like some worm... Did you run any anti malware software? Try
> malwarebytes.org.
> Sent via BlackBerry from T-Mobile
>
> -----Original Message-----
> From: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
> Sender: nobody_at_groupstudy.com
> Date: Thu, 8 Jul 2010 07:59:04
> To: <ccielab_at_groupstudy.com>
> Reply-To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
> Cc: <security_at_groupstudy.com>
> Subject: OT : Windows machine sending ICMP echo request (ping)
>
> Hi Guys,
>
> I have a windows machine which keeps sending pings to others. The
> destination
> are random, but valid IP Address (seems it query dns or wins). Do you know

> how
> can I track the .exe which sends that kind of ping packets to the network
> ?. I
> have tried with tcpview but this shows me tcp/udp connections, not icmp
> traffic. I had scan with antivirus/antimalware and all is clean.,
>
> Thanks in advance for your time,
>
> Regads
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 08 2010 - 10:15:08 ART