1

Am investigating a macOS Catalina machine that is believed to be infected with malware. Have been viewing packets with tcpdump and noticed, on connecting to any web address, there are legit packet that gets sent to the DNS server... then... there are packets that get sent from 127.0.0.1:53482 (or some port) to 127.0.0.1:443 -- the packet headers are labelled with incorrect checksum (cksum -> incorrect).

Also, there are packets 127.0.0.1:62692 (or some other port) -> 127.0.0.1:32376 labelled bad checksum (bad udp cksum). And, again localhost, 127.0.0.1:5353 -> 224.0.0.251:5353 again with bad checksum (bad udp cksum). All this traffic is on the lo0 adapter.

Packet traces

Incorrect checksum destination 127.0.0.1:443 Incorrect checksum destination 127.0.0.1:443

Bad checksum destination 127.0.0.1:32376 Bad checksum destination 127.0.0.1:32376

Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353 Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353

Attempts to find process:

sudo lsof -i sudo lsof -i

netstat netstat

My guess is this is related to some corruption with mDNSResponder? Welcoming and appreciate any tips or suggestions on how to solve.

schroeder
  • 123,438
  • 55
  • 284
  • 319
lancealittlebit
  • 21
  • 1
  • 3

2 Answers2

2

The bad checksums might be the result of checksum offloading: https://wiki.wireshark.org/CaptureSetup/Offloading#Checksum_Offload

Also, you can use the "-p" switch in netstat to show the Process ID, I believe this requires sudo for that switch.

Hope this helps.

ansichart
  • 777
  • 4
  • 12
0
  • Disable TSO / LRO / GSO
  • Disable Tx / Rx Checksum offloading
schroeder
  • 123,438
  • 55
  • 284
  • 319
Polymersudo
  • 9
  • 1
  • 3
    And what would these things do? Can you expand your answer with more detail and explain how this might help – schroeder Mar 04 '21 at 18:30
  • These options will help offload some work from SW to HW. To my understanding, the tcpdump will capture the packets in the SW layer, take a sending packet for example, the checksum field will be recalculated by HW or FW in the NIC. So in the pcap file, some packet captured may not have the correct checksum since the SW doesn't care about this field before sending. – Polymersudo Mar 27 '21 at 12:19
  • Can you please edit your question with these details? Right now, this is only a fraction of an answer. – schroeder Mar 27 '21 at 12:40
  • This is not my question. This is my answer. – Polymersudo Mar 29 '21 at 03:37
  • Right, can you pleased edit your answer with these details? – schroeder Mar 29 '21 at 06:44