Malware Domain List

Site Related => Site / Forum Discussion => Topic started by: jx on July 02, 2009, 03:58:00 pm

Title: Help
Post by: jx on July 02, 2009, 03:58:00 pm
Hi everybody,

I just noticed that always have open a connection to 209-8-114-140.static.pccwglobal.net
what's static.pccwglobal.net?

I have installed in my pc ESET 3.0.566.0 with web access protection, so I think it works like a proxy
for that reason 209-8-114-140.static.pccwglobal.net seems to be associated to ekrn.exe always.

In my router I block the domain, but it seems to open similar domains when different IP, could you explain me what happens?

Thanks,
jx

Title: Re: Help
Post by: philipp on July 03, 2009, 12:04:33 am
Hi jx,
I cant help you much, but Ill try to point you in a direction for further 'investigation' :D

209-8-114-140.static.pccwglobal.net is the PTR resource record for 209.8.114.140.
Here we find an open port 80 (among others) running
Server: AkamaiGHost

A quick google search and the http servers response indicate that this is one of the Akamai servers.
Akamai Technologies is a popular provider of a Content Distribution/Delivery Network (CDN), mirroring content on thousands of servers all over the world. Thats why you often get different IP addresses for lookups of their customers (and why this IP might change when you block it). Now among their customers, there are for example google.com, fbi.gov, yahoo.com, etc. So this does not necessarily have to be malicious activity :D

Here you can find more info about Akamai:
http://en.wikipedia.org/wiki/Akamai_Technologies
http://www.akamai.com
http://www.akamai.com/html/customers/customer_list.html

Now if you want to find out, what is causing this traffic and what host is actually being resolved (whose content is being served by the Akamai servers), I suggest you install Wireshark (http://www.wireshark.org) and watch whats going on.
You can also disable Eset, so the traffic will no longer be redirected through ekrn.exe, and check with 'netstat -ano' and the taskmanager what process is responsible for the connections. This should be safe, since Eset is not blocking it anyway. However, I think a Packet capture will tell you what you want to know :)

Good luck
and regards,
Philipp
Title: Re: Help
Post by: jx on July 03, 2009, 04:52:02 am
Amazing man!

Thanks for your answers, I'll follow your advice.

regards,
jx
Title: Re: Help
Post by: philipp on July 03, 2009, 10:52:27 am
Guess I will have to correct myself regarding Akamai customers.
Not sure whether Google is still using their services (at least I think they once had to), but Microsoft is.