PDA

View Full Version : Trying to access the internet?



Voivod
2008-04-17, 21:38
Ran a quick scan with RootAlyzer then decided to run a deep scan. In the middle of (or rather, a while after starting the scan) ZoneAlarm popped up a warning that RootAlyzer.exe was attempting to accesss the internet.

It shouldn't be doing that, should it?

PepiMK
2008-04-17, 21:52
No, it surely should not!
Unless you open the About dialog and press the Update button of course, in which case it'll download a file of a few bytes of size. That file will be downloaded from http://www.safer-networking.org/updates/rootalyzer.ini.

Did ZoneAlarm tell you which site it tried to connect to?

Voivod
2008-04-17, 22:13
Nope didn't hit the update and no destination IP address listed in the ZA log. I denied access when it popped up.

This has been happening with other apps including a screensaver. Randomly popping up the ZA alerter with a request for net access. Windows is up to date. Updated and run AVG AV, SpyBot and AdAware none of them have found anything other than some cookies.

Addendum - Even Windows Defender came up blank

PepiMK
2008-04-22, 17:32
That's kind of spooky. You could try a tool like ActivePorts (http://www.devicelock.com/freeware.html) (or inside Spybot-S&D, Tools, Process List, the tab named Open Network Ports at the bottom, which does the same), to check which ports are opened in which application.

In theory, malware could easily inject a single thread into a different application to use that context for communicating with the outside. That's not an easy thing to code though, so quite rare.

If ZA shows no IP, did it open a port in "listen" mode maybe (trying to act as a server)? The above (ActivePorts or Spybot-S&D) would show that, and if not, possibly an IP or domain name which might help in finding out more (if something actually would go to the length of implementing such a method, it would be quite well hidden otherwise). Unless it's all a bug in ZA of course, haven't used that in a while and can't say anything about it, just mentioned to avoid imagining too many things on the possible rootkit side ;)