I noticed while hanging in Microsoft Network Monitor that my computer is sending ICMP echo request to an arbitrary IP address 202.39.253.11
.
I looked for the owner of this IP and I found it is owned by some Chinese or Taiwanese communication business called HINET. They seem to have a website at this address, although answers seem to come 202.39.253.12
.
I was wondering, am I at risk of opening myself to ICMP tunneling from a remote attacker?
I looked at the packets and they all look the same:
08 00 6E 89 00 01 00 14 49 43 4D 50 20 65 63 68 6F ..n....ICMP echo
08 00 6E 88 00 01 00 15 49 43 4D 50 20 65 63 68 6F ..n....ICMP echo
The answers are all the same, except for 9 bytes of 00 data at the end of the answer payload. I know by seeing this that no data is exchanged at the moment, but is it possible that a "spy" software is installed on my computer and could start sending data at some point?
EDIT: They seem to own 202.39.128.0/17
EDIT 2 : Since I am still unable to find out which process is generating all these ICMP requests, I will setup a proxy server using Winpcap to simulate server's answer and figure out which process is reacting to random "commands" from the server. By setting custom routes I should be able to transfer echo request to my server. Any idea on how to detect a weird behavior from a process receiving commands hidden in a ICMP tunnel? I figured I could try using Sysinternals Process Monitor and look of failed registry access or some other types of errors.
EDIT 3 : I finally got it! For some reason I had this idea of using a "brute force" solution to find the process causing the issue. By looking at every single byte sequence on my hard drive, I might find the raw data inside a program's executable file. So I ran the first program I found, "SearchMyFiles" (http://www.nirsoft.net/utils/search_my_files.html) and started a query for ICMP echo
. Guess what I found, appart from a whole lot of Google Chrome's history... A dll containing ICMP echo
as well as www.hinet.net
.
Here's a preview of the data I found:
49 43 4D 50 20 65 63 68 6F at offset 0001E4BC which correspond to ICMP echo
and
77 77 77 2E 68 69 6E 65 74 2E 6E 65 74 at offset 0001E233 (www.hinet.net)
The dll is called gep.dll
and is located here C:\Program Files (x86)\ASUS\AI Suite II\Network iControl\NetSvcHelp
So it seems to be ASUS that sends all these ICMP requests. I do have an ASUS motherboard and I did install the AI Suite from their website.
I still don't know if this connection is legitimate or safe, and I can't find information in the internet regarding this weird communication between an asus process an a server in Taiwan