9

I noticed while hanging in Microsoft Network Monitor that my computer is sending ICMP echo request to an arbitrary IP address 202.39.253.11. I looked for the owner of this IP and I found it is owned by some Chinese or Taiwanese communication business called HINET. They seem to have a website at this address, although answers seem to come 202.39.253.12.

I was wondering, am I at risk of opening myself to ICMP tunneling from a remote attacker?

I looked at the packets and they all look the same:

08 00 6E 89 00 01 00 14 49 43 4D 50 20 65 63 68 6F     ..n....ICMP echo

08 00 6E 88 00 01 00 15 49 43 4D 50 20 65 63 68 6F     ..n....ICMP echo

The answers are all the same, except for 9 bytes of 00 data at the end of the answer payload. I know by seeing this that no data is exchanged at the moment, but is it possible that a "spy" software is installed on my computer and could start sending data at some point?

EDIT: They seem to own 202.39.128.0/17

EDIT 2 : Since I am still unable to find out which process is generating all these ICMP requests, I will setup a proxy server using Winpcap to simulate server's answer and figure out which process is reacting to random "commands" from the server. By setting custom routes I should be able to transfer echo request to my server. Any idea on how to detect a weird behavior from a process receiving commands hidden in a ICMP tunnel? I figured I could try using Sysinternals Process Monitor and look of failed registry access or some other types of errors.

EDIT 3 : I finally got it! For some reason I had this idea of using a "brute force" solution to find the process causing the issue. By looking at every single byte sequence on my hard drive, I might find the raw data inside a program's executable file. So I ran the first program I found, "SearchMyFiles" (http://www.nirsoft.net/utils/search_my_files.html) and started a query for ICMP echo. Guess what I found, appart from a whole lot of Google Chrome's history... A dll containing ICMP echo as well as www.hinet.net. Here's a preview of the data I found: 

49 43 4D 50 20 65 63 68 6F at offset 0001E4BC which correspond to ICMP echo

and

77 77 77 2E 68 69 6E 65 74 2E 6E 65 74 at offset 0001E233 (www.hinet.net)

The dll is called gep.dll and is located here C:\Program Files (x86)\ASUS\AI Suite II\Network iControl\NetSvcHelp So it seems to be ASUS that sends all these ICMP requests. I do have an ASUS motherboard and I did install the AI Suite from their website.

I still don't know if this connection is legitimate or safe, and I can't find information in the internet regarding this weird communication between an asus process an a server in Taiwan

Alex Rose
  • 91
  • 1
  • 4
  • Could you use netstat or another similar program to figure out which program on your computer is making the connection? – Nasrus Dec 05 '13 at 04:36
  • I used netstat and the IP did not show up (`netstat -a -b -n`). Afterwards I realized it cannot work because ICMP is connectionless and does not work on top of TCP (I think netstat works only for TCP connections) – Alex Rose Dec 05 '13 at 05:20
  • How about with "-b -s -p icmp"? Also, do you have any suspect programs in mind? – Nasrus Dec 05 '13 at 05:54
  • Nothing more with that command. I tried closing as many processes as possible to find out which one was sending the requests, but without luck. Maybe a service is sending all those pings – Alex Rose Dec 05 '13 at 13:42
  • Why not suspend your processes one-by one using a tool like [Process Explorer](http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to determine which is the culprit? – mpontillo Dec 09 '13 at 07:19
  • I tried without success. It tells me that either it's a service (didn't shutdown services) or it's a process that spawns children when it gets killed – Alex Rose Dec 09 '13 at 07:23
  • @AlexRose Do you have a firewall installed ? – Ebenezar John Paul Dec 09 '13 at 07:25
  • I don't except for Windows default firewall in which I added a custom rule to prevent further communication – Alex Rose Dec 09 '13 at 07:26
  • Asus is a Taiwanese company. – longneck Dec 13 '13 at 13:14
  • Yes but why does it need to send that many pings to their servers. We are talking about a request per 10 to 100 ms – Alex Rose Dec 13 '13 at 14:25
  • very interessting! +1 – licklake Feb 17 '17 at 15:11

4 Answers4

6

I had the same problem, constant pings to 202.39.253.11.

I have removed ASUS Ai SUITE II and ran the uninstall cleaner and the pings have stopped

The cleaner was at

http://rog.asus.com/forum/showthread.php?28319-AI-Suite-II-uninstall-cleaner

steve
  • 61
  • 1
3

Regarding periodic (1 second interval) ICMP from Ai Suite II, simply disable the "Network iControl" option to stop the pings. No need to completely remove this ASUS service.

JJK
  • 31
  • 1
2

since they are all echo's... i dont think they are for tunneling BUT!

you might be hacked. Some malwares are sending ping-like packets to weird ip addresess or websites. these are mainly bot net malwares... Your PC is saying I AM HERE .... I AM HERE by sending those echo messages and at some point, when there will be an attack, hacker will actually own the server and will send commands to whoever sending echo packages or some other predefiened packets.

zBot and someother botnets were using alghorithms like this...

or of course it can be a service or whatever...but it is good to be safe and check the worst case first.

cengizUzun
  • 616
  • 1
  • 4
  • 12
0

I too have observed a suspicious level of ICMP traffic to IPv4 address 202.39.253.11 during a routine Wireshark scan.

Per a whois:

$ whois 202.39.253.11

   Netname: HINET-NET
   Netblock: 202.39.253.0/24

My solution was to uninstall a Windows application known as "Network Genie".

This application was made available as a download from the MSI motherboard web site, and (allegedly) assists in network-related (driver) functions for the on-board Realtek LAN chip.

Following some quick googling (keywords: "network", "genie", "hinet"), it appears that Network Genie shares address space with HINET-NET.

Once I uninstalled "Network Genie", the ICMP traffic stopped.

If this doesn't solve your issue, I would still recommend using the same basic approach I used--remove software one-by-one until the offender is identified.

If that doesn't work, it may be an indication of a compromise of some kind, at which point a backup and reformat of the operating system should be pursued with all haste and urgency.

xar
  • 1