Re: OT : Windows machine sending ICMP echo request (ping)

Thanks Abel,

That would make it., let me see.

Regards

----- Original Message -----
From: "Adel Abouchaev" <adel_at_netmasterclass.net>
To: "'Edouard Zorrilla'" <ezorrilla_at_tsf.com.pe>; <itguy.pro_at_gmail.com>;
<ccielab_at_groupstudy.com>
Cc: <security_at_groupstudy.com>
Sent: Thursday, July 08, 2010 10:15 AM
Subject: RE: OT : Windows machine sending ICMP echo request (ping)

> The ultimate method would be setting up a KDB, set up a breakpoint with
> some
> actions (print, continue, etc.) and trace kernel-to-user mode stack to
> find
> a process from the TDI or NDIS driver. This would require some skills in
> debugging. Easier method is to download a trial version of an antivirus
> (Kaspersky has it, some other vendors have it too) with per-application
> policies (or Cisco Secure Agent, if you have control over client and
> server), set up policy to deny ICMP for all applications and then check
> the
> log. You could also deny ping.exe and see if your setup is working.
>
> There is no easy method to trace any packet back to the user mode
> application, since they aren't always following the same path to enter
> kernel mode and tracing stack back from kernel to user is the only method
> that will give you 100% coverage.
>
> HTH,
>
> Adel
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Thursday, July 08, 2010 9:24 AM
> To: itguy.pro_at_gmail.com; ccielab_at_groupstudy.com
> Cc: security_at_groupstudy.com
> Subject: Re: OT : Windows machine sending ICMP echo request (ping)
>
> Thanks,
>
> I have already run malwarebytes and the only thing that I have found is
> Hijack.display.properties, which doesn't seem to be anything weird ....,.
> Do
>
> you know how to track icmp traffic ?. I would like to see which
> application
> is sending this icmp ping traffic .,
>
> Thanks.,
>
> ----- Original Message -----
> From: <itguy.pro_at_gmail.com>
> To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>; <ccielab_at_groupstudy.com>
> Cc: <security_at_groupstudy.com>
> Sent: Thursday, July 08, 2010 8:08 AM
> Subject: Re: OT : Windows machine sending ICMP echo request (ping)
>
>
>> Sounds like some worm... Did you run any anti malware software? Try
>> malwarebytes.org.
>> Sent via BlackBerry from T-Mobile
>>
>> -----Original Message-----
>> From: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
>> Sender: nobody_at_groupstudy.com
>> Date: Thu, 8 Jul 2010 07:59:04
>> To: <ccielab_at_groupstudy.com>
>> Reply-To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
>> Cc: <security_at_groupstudy.com>
>> Subject: OT : Windows machine sending ICMP echo request (ping)
>>
>> Hi Guys,
>>
>> I have a windows machine which keeps sending pings to others. The
>> destination
>> are random, but valid IP Address (seems it query dns or wins). Do you
>> know
>
>> how
>> can I track the .exe which sends that kind of ping packets to the network
>> ?. I
>> have tried with tcpview but this shows me tcp/udp connections, not icmp
>> traffic. I had scan with antivirus/antimalware and all is clean.,
>>
>> Thanks in advance for your time,
>>
>> Regads
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 08 2010 - 14:07:40 ART