Jump to content


Photo

Suspicious Akaimi Dial-outs


  • Please log in to reply
12 replies to this topic

#1 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 23 April 2012 - 07:12 PM

I have been lately noticing svshost.exe network services dial-outs to IPs 80.12.96.34 and 80.12.96.51. These dial-outs usually occur when I am browsing with IE9 or shortly after I end a browsing session. These never resolve to a domain name.

Anyone know if this a new Akaimi spyware variant?

#2 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,036 posts
  • Gender:Male
  • Location:USA

Posted 23 April 2012 - 07:35 PM

Hello and welcome to Malwarebytes


If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the
Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the directions >>Right HERE<<, skipping any steps you are unable to complete.
  • After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification,
    so that you're alerted when someone has replied to your post.

NOTE: Please do not post back to (bump) your topic within the first 48 hours.
Replying to your own posts changes the post count and helpers are looking for topics with zero replies.
If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
  • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
  • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk by filling out the form located >>Right HERE<<

OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site --> >>Right HERE<<

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Reply to this topic" Posted Image button not the Reply button when you start replying.

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#3 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 24 April 2012 - 12:41 PM

Don't believe I am "infected" since I run multiple malware scanners including MBAM Pro and see no other signs of abnormal activities. I run full scans with everything at least once a week.

I suspect the activity I am observing is related to Akaimi's new web site protection services and appears Microsoft must be involved somewhere since svchost.exe is doing the "dialing out."

BTW - my platform is WIN 7 x64 SP1.

#4 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 24 April 2012 - 12:54 PM

Well, I use Internet Explorer 9 on Windows 7 x64 SP1 and I have never seen such blocks coming from svchost. I can assure you that MS would not use svchost to contact those sites, so there's likely some other service on your system behind it, which is either something malicious, or simply part of some third party software you have installed.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 24 April 2012 - 05:27 PM

I haven't had any dial-outs since last Friday. At that time, I reset my router and did the ipconfig release/ flushdns/ reset bit. I also flushed my temp files using OldTimer's cleaner.

My opinion is there is a collection of rogue Akaimi servers hosted by Ripe in the 80.12.96.0 - 80.12.98.255 range. When I have received the previously posted svchost.exe dial-outs, I also was receiving IP connections from the aforementioned IP range in IE9.

BTW - I am located on the eastcoast of the U.S.

#6 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 24 April 2012 - 05:45 PM

Ah, so you suspect some sort of DNS hijacking was at work then and the resets removed it? That makes sense.

Have you removed any infections recently, prior to the IP blocks showing up? If so, that would likely account for it as the threat may have set the rogue DNS settings.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 25 April 2012 - 10:49 AM

I haven't had any malware infections since I went back to the WIN 7 firewall and replaced Avast with Norton Antivirus 2012. As I stated previously, I also have MBAM Pro installed with both realtime and IP blocking turned on. In other words, it has been months since I had an infections and these dial-outs are relatively new.

Only thing recently I installed is W.O.T. Appears that uses IP addresses in the 83.xxx.xxx.xxx range.

Personally I believe this activity is related to something within legit software that uses Akamai servers; Adobe stuff; Microsft stuff; etc.

#8 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 25 April 2012 - 11:46 AM

MS doesn't use Akami, but yes, it's certainly possible that some legitimate application on your system is doing the dialing out.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 25 April 2012 - 05:23 PM

MS uses Akamai for Win Updates also for cryptographic service baloney like cert. checking and the like. Symantec also uses their servers for AV updates.

I spoke to soon it appears. Dial-outs to those RIPE Akamai IPs started again today at boot time. So I have disabled WIN 7's dnscache service. I really don't need it anyway since my router has a DNS server. Personally, I have seen enough suspicious activity from WIN 7 dnscache service that it should be disabled. Again I really believe all this garbage is the result of Akamai's new web server secuity services.

#10 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 25 April 2012 - 05:36 PM

Interesting. I've never gotten IP blocks from anything on that range, and I check for Windows Updates regularly (I have to since I'm using MSE as my antivirus).
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 30 April 2012 - 02:36 PM

Appears this IP range used by Adobe Flash for God knows what.

Also there appears to be a bug in TFC when using Norton AV 2012 - could apply to earlier versions. TFC is reseting Flash storage settings to defaults - that is allow everything to be stored on your PC. I suspect TFC resets Flash's settings to get at it's caches for cleaning and then Norton prevents it from resetting Flash storage settings back to original settings.

This was driving me up the wall when I saw that Flash settings had been reset to default until I realized that it occured everytime I ran TFC.

#12 noknojon

noknojon

    you know why ---

  • Honorary Members
  • PipPipPipPipPipPip
  • 6,090 posts
  • Gender:Male

Posted 01 May 2012 - 04:49 PM

Extracts from Wiki -
The Akamai Network: Customers
On July 21, 1999, at Macworld Expo New York, Apple and Akamai announced a strategic partnership to build Apple's new media network, QuickTime TV (QTV), based on QuickTime Streaming Server. Both companies later announced that Apple had made a $12.5 million investment in the company the previous month. Apple continues to use Akamai as their primary content delivery network for a wide range of applications including software downloads from Apple's Website, QuickTime movie trailers, and the iTunes Store.

In September 1999, Microsoft and Akamai formed a strategic relationship to incorporate Windows Media technology in Akamai's FreeFlow service, as well as to facilitate the porting of the FreeFlow product to the Windows platform; this relationship exists to this day.

The official U.S. government White House website (WhiteHouse.gov) uses Akamai Technologies for hosting video clips of President Barack Obama's Web addresses on their own in-house servers, after having posted previous addresses as embedded YouTube clips on the site.

Also there appears to be a bug in TFC when using Norton AV 2012

My MSE will, at times, give a Minor Red Warning recently when using TFC. Just a Flash in the bottom right corner of the screen, but nothing is ever recorded.
May be in a certain version of the program - Uninstall and reinstall to try and get a fresh version of the program -
Just another private helper .......................... The answer is always 42, or Reboot
If you are waiting for an answer Press F5 ................. you may have one waiting for you ........

#13 DonZ

DonZ

    Regular Member

  • Honorary Members
  • PipPip
  • 68 posts

Posted 02 May 2012 - 05:27 PM

Personally I believe alot of the "new" web traffic from Akamai is coming fom this: http://www.eweek.com...Attacks-631372/

I also think that services like this often times have other "hidden" benefits for their purchasers.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users