Gomer Finds A Mole

Overall Score

Ok I’m going to start my first post with a whopping security breach some place we all know.

While browsing a well knowing site, I don’t need to get into the details of that site anyhow I just new something was up when I traced my line:

[img]Gomer1.jpg[/img]

HMM I say. I was not receiving a reset packet back so this really troubled me because even when I closed the browser I was still getting this connection and no reset even after the browser was well off. So this led me to this INFO

Disable Window’s Network Plug-N-Play Function
In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 – a potential security risk many organizations will want to block. OK, you decide to block SSDP services but to your surprise, your firewall and network sniffers continue to see the UDP port 1900 packets. You have disabled XP’s SSDP and even Universal Plug and Play Device Host. What’s going on? This is Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Messenger. If you run a sniffer trace, the following information is displayed in the data section of the packet:

SSDP: Method = M-SEARCH
SSDP: Uniform Resource Identifier = *
SSDP: HTTP Protocol Version = HTTP/1.1
SSDP: Host = 239.255.255.250:1900
SSDP: Search Target = urn:schemas-upnp-org:device:InternetGatewayDevice:1
SSDP: Mandatory Extension = "ssdp:discover"
SSDP: Maximum Wait = 3

XP’s Windows Messenger is attempting to communicate to an Internet host. To block Windows Messenger’s broadcasts:
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 disabled
With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.
I bet you are now saying interesting “A” well there is more to this tale. I start doing my thing to block this intrusion, so now I started with my homepage and this is a good normal connect for any system:

[img]Gomer2.jpg[/img]

 So my connection is working good handshake is normal but as soon as I go to that well known site, I came up with this after blocking the first intrusion. Now I’m getten somewhere with this:

[img]Gomer3.jpg[/img]  (point to see is how they could not use ssdp because the block, )

[img]Gomer4.jpg[/img]

I see its best of media but I want more, and just who gave them the right to connect to my system and keep this alive well after this connection is closed. So I get deeper into who is the computer:

[img]Gomer5.jpg[/img] 

I do a block on bestofmedia and try the site again and run a line trace again and now we are getten a call back of the connection with this:

[img]Gomer6.jpg[/img]

From this I am very very intrigued on how well they went behind to hide the fake IP of:

[img]Gomer7.jpg[/img]

 So I’m smarter than best of media and come up with the real IP with this check:

[img]Gomer8.jpg[/img]

…which leads me to the remainder of this here:

[img]Gomer9.jpg[/img]

Ok, so my summary of this is the forum has sold some of the site to bestofmedia and they are redirecting and illegally trying to connect to peps computers to gain personal information, or use someones connection to host for their networks, extra free bandwidth for their profit. I say this in confidence because they went throw great measures to hide the source of their IP.

Anyways now my line trace shows none of bestofmedia and only the images no connection to them other than the real connection.
Job well done with no spyware, and even at that spyware would have been no use because of the first IP was a fake. To see the pic’s you need to use a viewer I made them small to save space. Second pardon the poor english I was in a hurry

IPs
239.255.225.250 (fake)
24.226.12.186 (redirected) risky
24.226.0.206 (redirected) risky
216.221.80.240

Editor’s note: I PM’ed Gomer to ask for more clarification on the process he used to investigate the spyware-like behavior he was noticing.  Here’s the first installment of additional details Gomer provided:

"239.255.255.250 is a home network IP used by windows messenger and home networking using an UpnP port of 1900.
I discovered when browsing tomshardware M-Search is a word used as an index of a webpage on their webserver or mirror of a caching server in the bestofmedia/micro network ( and most likely linked to a folder of images/web links to activate this connection between windows messenger using NAT. (Network Address Translation). The actually host is
Webserver name is AkamaiGhost – also known as Akamai Global Host – which is designed to serve as a "geographically co-located caching server" for a website. So, what they do is, they mirror the site on a server at different ISP/POPs to deliver the content faster from a closer location.

The problem with this is they sent a packet directly to my ISP dns Using M-SEARCH as an index to mirror the information from Akami Global Host to tomshardware or bestofmedia using UpnP protocols connecting to windows messenger so now I’m the host of what ever that cache or mirror had.
How I actually discovered it was bestofmedia/micro or one of their Thief’s was by blocking the necessary protocols used, it was at that point of time bestofmedia/micro showed in the trace while at tomshardware/forums. I saw for the first time in my trace after the protocols were blocked/securited, (img.tomshardware.com or img.bestofmicro) and other IPs trailed along the bestofmedia network. I was unable to stop the M-SEARCH in taskmanager, also ssdp discovery was disabled in my services, but like explained UpnP protocols was used to connect to messenger and mirrored information directly to tomshardware after my browser was closed.
I was playing bf and my ping was ridicules also my downloads was slow it was at that point I decided to figure out what the hell was going on. I was hours tracing every single IP that came in and out and elimated IPs I could explain. The only one I could not explain was M-MSEARCH IP but now I know it was my IP messenger used to send the information of packets to tomshardware, and after realizing that I know why messenger would pop up as an active program even when disable. I had to actually uninstall messenger, put the new reg info in. I must make this very clear to everyone this was tested well. I did not get The M-SEARCH with any sites I visited. I went too every site I have in my favorites for more than 10 mins so my trace would be long enough to send me resets back from all IPS the only reset not showing was M-SEARCH even after leaving the site."

 

Editor’s note #2: The following day, I got another PM from Gomer.  The image was a dead link – when I get a functioning copy, I’ll paste it in:

"ok in this pic you can see the source server d221-80-240.commercial.cgeocable.net destination of 192.168.1.60 which 192.168.1.60 is my address this was called 2 times then right away bestofmedia/micro became the source, the original culpert of the hack.

the cache server could not find what it was looking for because of the blocks I did so the source became bestofmedia like shown in the pick. The only difference now is when I shut down the browser I was sent resets back because the cache server mirrored the information back to bestofmedia/micro.
the remainder of the spoofing is confirming bestofmedia using the cache server of d221."

SHARE THIS POST

  • Facebook
  • Twitter
  • Myspace
  • Google Buzz
  • Reddit
  • Stumnleupon
  • Delicious
  • Digg
  • Technorati

Leave A Response