Suspicious Akaimi Dial-outs

[DonZ]

I have been lately noticing svshost.exe network services dial-outs to IPs 80.12.96.34 and 80.12.96.51. These dial-outs usually occur when I am browsing with IE9 or shortly after I end a browsing session. These never resolve to a domain name.

Anyone know if this a new Akaimi spyware variant?

[Firefox]

Hello and welcome to Malwarebytes

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

• Option 1 —— Free Expert advice in the Malware Removal Forum
  
• Option 2 —— Paying customer -- Contact Support via email
  
• Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the

Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

• Please read and follow the directions >>Right HERE<<, skipping any steps you are unable to complete.
  
• After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification,
  so that you're alerted when someone has replied to your post.

NOTE: Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

• If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
  Or
  
• You may send a Private Message to a Moderator asking for assistance.
  

OPTION 2

Alternatively, as a paying customer, you can contact the help desk by filling out the form located >>Right HERE<<

OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site --> >>Right HERE<<

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Reply to this topic" button not the Reply button when you start replying.

[DonZ]

Don't believe I am "infected" since I run multiple malware scanners including MBAM Pro and see no other signs of abnormal activities. I run full scans with everything at least once a week.

I suspect the activity I am observing is related to Akaimi's new web site protection services and appears Microsoft must be involved somewhere since svchost.exe is doing the "dialing out."

BTW - my platform is WIN 7 x64 SP1.

[exile360]

Well, I use Internet Explorer 9 on Windows 7 x64 SP1 and I have never seen such blocks coming from svchost. I can assure you that MS would not use svchost to contact those sites, so there's likely some other service on your system behind it, which is either something malicious, or simply part of some third party software you have installed.

[DonZ]

I haven't had any dial-outs since last Friday. At that time, I reset my router and did the ipconfig release/ flushdns/ reset bit. I also flushed my temp files using OldTimer's cleaner.

My opinion is there is a collection of rogue Akaimi servers hosted by Ripe in the 80.12.96.0 - 80.12.98.255 range. When I have received the previously posted svchost.exe dial-outs, I also was receiving IP connections from the aforementioned IP range in IE9.

BTW - I am located on the eastcoast of the U.S.

[exile360]

Ah, so you suspect some sort of DNS hijacking was at work then and the resets removed it? That makes sense.

Have you removed any infections recently, prior to the IP blocks showing up? If so, that would likely account for it as the threat may have set the rogue DNS settings.

[DonZ]

I haven't had any malware infections since I went back to the WIN 7 firewall and replaced Avast with Norton Antivirus 2012. As I stated previously, I also have MBAM Pro installed with both realtime and IP blocking turned on. In other words, it has been months since I had an infections and these dial-outs are relatively new.

Only thing recently I installed is W.O.T. Appears that uses IP addresses in the 83.xxx.xxx.xxx range.

Personally I believe this activity is related to something within legit software that uses Akamai servers; Adobe stuff; Microsft stuff; etc.

[exile360]

MS doesn't use Akami, but yes, it's certainly possible that some legitimate application on your system is doing the dialing out.

[DonZ]

MS uses Akamai for Win Updates also for cryptographic service baloney like cert. checking and the like. Symantec also uses their servers for AV updates.

I spoke to soon it appears. Dial-outs to those RIPE Akamai IPs started again today at boot time. So I have disabled WIN 7's dnscache service. I really don't need it anyway since my router has a DNS server. Personally, I have seen enough suspicious activity from WIN 7 dnscache service that it should be disabled. Again I really believe all this garbage is the result of Akamai's new web server secuity services.

[exile360]

Interesting. I've never gotten IP blocks from anything on that range, and I check for Windows Updates regularly (I have to since I'm using MSE as my antivirus).

[DonZ]

Appears this IP range used by Adobe Flash for God knows what.

Also there appears to be a bug in TFC when using Norton AV 2012 - could apply to earlier versions. TFC is reseting Flash storage settings to defaults - that is allow everything to be stored on your PC. I suspect TFC resets Flash's settings to get at it's caches for cleaning and then Norton prevents it from resetting Flash storage settings back to original settings.

This was driving me up the wall when I saw that Flash settings had been reset to default until I realized that it occured everytime I ran TFC.

[noknojon]

Extracts from Wiki -

The Akamai Network: Customers

On July 21, 1999, at Macworld Expo New York, Apple and Akamai announced a strategic partnership to build Apple's new media network, QuickTime TV (QTV), based on QuickTime Streaming Server. Both companies later announced that Apple had made a $12.5 million investment in the company the previous month. Apple continues to use Akamai as their primary content delivery network for a wide range of applications including software downloads from Apple's Website, QuickTime movie trailers, and the iTunes Store.

In September 1999, Microsoft and Akamai formed a strategic relationship to incorporate Windows Media technology in Akamai's FreeFlow service, as well as to facilitate the porting of the FreeFlow product to the Windows platform; this relationship exists to this day.

The official U.S. government White House website (WhiteHouse.gov) uses Akamai Technologies for hosting video clips of President Barack Obama's Web addresses on their own in-house servers, after having posted previous addresses as embedded YouTube clips on the site.

Also there appears to be a bug in TFC when using Norton AV 2012

My MSE will, at times, give a Minor Red Warning recently when using TFC. Just a Flash in the bottom right corner of the screen, but nothing is ever recorded.

May be in a certain version of the program - Uninstall and reinstall to try and get a fresh version of the program -

[DonZ]

Personally I believe alot of the "new" web traffic from Akamai is coming fom this: http://www.eweek.com/c/a/Security/Akamai-Kona-site-Defender-Security-Service-Blocks-DDoS-Attacks-631372/

I also think that services like this often times have other "hidden" benefits for their purchasers.