PDA

View Full Version : How to identify program source and purpose of outgoing IP-Block?



D_Blackwell
09-11-2011, 01:45 AM
cnm, Mother Lion of SWI has recommended The PC Guide as the next stop pursuing the reason/source of an IP-Block that is being flagged multiple times per day, every day, by Malwarebytes.

221.192.199.49 (Outgoing, Port 137) It's a persistent SOB. I am very interested in learning how find out what program is is trying to establish the outgoing connection and why. So far, all I have is that the IP address is located in China and is considered 'undesirable'.

cnm had me run a full slate of tools to see if we could find malware/Trojan/rootkit - anything. So far, there is no indication that my box is anything but clean. Malwarebytes Premium Services gave me a thorough check remotely. They can't provide any information about the IP-Block, or how to proceed, but my machine is officially clean.

I have no indications (performance and such) of an Alien Presence, but I have also made no progress on identifying why MWB is making this block or learning anything about it at all.

I sure wish that MWB noted the source of the IP-Block 221.192.199.49 (Outgoing, Port 137). Seems like it would a lot more useful if it did. It would be a real plus if MWB provided information about IP-Blocks beyond that the block was made, or made it possible for users to research with an additional tool.

The original thread is here:
http://www.spywareinfoforum.com/index.php?/topic/132492-how-to-identify-source-of-outgoing-ip-block/

It was suggested that I try ProcMon and try to connect the time stamp of the IP-Block to the entries generated by ProcMon.

The problem that I am having is that even with an hour/minute/second time stamp of the IP-Block from MWB, ProcMon is showing hundreds and hundreds of entries for that exact second. I only have to have ProcMon open a few hours and there are several million entries. How do I use this program to show me just the data that is likely to be useful in tracking the source of this IP?

I would post the ProcMon entries for the exact second of one of these IP-Blocks, but am reticent to do so unless requested because hundreds of lines is not an exaggeration. I've looked through them and nothing jumps out, but I'm not qualified to make a reasoned judgment.

What to do? How to proceed?

mjc
09-11-2011, 02:35 PM
Well, the first thing to do is trim down what you KNOW is running...don't try to run a ProcMon log with EVERYTHING running. Shut off things that you know what are...things that you open/run. Don't close all your browser windows, leave one open, but close multiples. Close background tasks that you KNOW what they are; any games, media players, etc.

That should cut the entries in ProcMon down a bit...

Also, ProcMon should have a search/filter function...it also used to be able to be set up to exclude certain items..use it to isolate a specific moment. If your firewall can, try to get it to timestamp with thousandths of a second (ProcMon should be able to do that) then use the search/filter to bracket that exact time.

D_Blackwell
09-12-2011, 12:29 AM
I don't know how to do the things that you were asking for without concerns that I might cause more problems than I am fixing. I have been considering how to best proceed, and may have accidentally made some progress while thinking about that.

I was wiped out early this evening and took a nap. During that time, MWB made four IP-Blocks, including two to my worst offender (221.192.199.49). The other is Chinese also.:

21:12:29 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
21:12:29 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
21:12:29 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
21:12:29 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
21:12:29 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
.
21:12:37 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
21:12:37 David Blackwell IP-BLOCK 61.147.67.253 (Type: outgoing, Port: 137)
.
21:15:49 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)
21:15:49 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)
21:15:49 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)
.
21:15:57 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)
21:15:57 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)
21:15:57 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)
21:15:57 David Blackwell IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)


I don't know enough about ProcMon to know how to isolate a list of just the lines that I am interested in. However, because I was not working at the time, the list of lines at the exact second of each event was many hundreds of lines shorter than usual.

So, I took screenshots to capture the information. (I also saved a Logfile.PML (705MB).

The first event had tons of lines at that exact second, so I've skipped that one. The exact second of the second and fourth events fit in one screen shot each. The third event required four screen shots.

I have put all of the screen shots in a Word .docx file located here (1.12MB):
http://bentonandblackie.com/IP-Block-data-ProcMon.docx

(Tried to save as a PDF, but for some reason it 'washed out' the images pretty badly. Hmm.)

Is there anything here that can be used to identify which programs are trying to establish those outgoing connections and why?

What is my next move?