How do I locate the app generating this network traffic?

Posted on

QUESTION :

I don’t know what this process is doing on my computer. I run Windows 7 Professional w/ all its updates running current non-free antivirus.

I only see it in Resource Monitor, where you can see the Network Service process connected to bitum.nnov.ru.

When my PC’s network traffic generating apps are idle, this process is using the most of all the idle processes using the network.

Screenshot hosted here:
http://sss.proinbox.com/bitum-nnov-ru.jpg

Does anyone recognize this?

The page source mentions a control port & a stream port:

Page Source for http://bitum.nnov.ru :

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>DVR WebViewer</title>
<meta http-equiv="Content-Type" content="text/html; charset=euc-kr">
</head>

<body topmargin="0" leftmargin="0">
<OBJECT
      classid="clsid:EE479A40-C128-40DD-93DA-000556AF9607"
      codebase="CtrWeb.cab#version=1,0,2,2"
      width=875
      height=585
      align=center
      hspace=0
      vspace=0
>  
<param name="CmdPort" value="5920">
<param name="StreamPort" value="5921">
</body>
</html>

When I google this page’s title, I see a number of other domains that host the same page.

Whois:

domain:        NNOV.RU
nserver:       ns.kis.ru.
nserver:       ns.nnov.ru. 78.25.80.210
nserver:       ns1.kis.ru.
nserver:       ns2.kis.ru.
state:         REGISTERED, DELEGATED, VERIFIED
org:           "Agentstvo Delovoj Svjazi", Ltd
registrar:     RU-CENTER-REG-RIPN
admin-contact: https://www.nic.ru/whois
created:       1996.10.23
paid-till:     2012.11.01
free-date:     2012.12.02
source:        TCI

Last updated on 2012.06.16 04:20:46 MSK

ANSWER :

Download a copy of tcpview from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx. It can show connected apps & destinations.

I would advice to use Wireshark to sniff the network traffic and see the nature of the traffic. You could upload your pcap file when your computer is idle here and we could take a look. From what I can see, that XHTML file references to an ActiveX control for Internet Explorer. I tried it on a Virtual Machine so if it is malicious I won’t infect my main computer and it shows an interface to connect to a DVR Recorder (a webcam that has its own hard drive to store the captures).

Screenshot

Something very fishy is going on here in my opinion. The first thing that comes to my mind is that someone is using you as a proxy to connect to this website, but I don’t know for sure.

Leave a Reply

Your email address will not be published. Required fields are marked *