Followup: Zone Alarm and Akamai -- not either one. (blush).

[j nickson <jnickson () TOGETHER NET>]

Followup:  Zone Alarm and Akamai.

    Well, this is too long, but it may help someone.

Summary:

UDP probes and DNS spoofing from your ISP are generally
recommended to be ignored by various authorities such as the
Black Ice advice area.

This advice may be misleading in some circumstances.

Probably this is generally good advice for the first minute or
two at most, but in the following situation it is more likely
that the system concerned was hosting some hostile process.

-------------------------------------------------

Background:

Win 98 SE, no sound card, no Real Audio, ver 4.10.2222

Modem connection to temporary IP Addresses (naturally) ...

Netscape 4.08, no netcaster, all Java turned off, javascript
  sometimes on, sometimes off.

Opera 3.62 also with Java Off, javascript sometimes.

No chat ever.

All E.mail through Eudora with HTML and advanced formatting
   OFF.

Intrernet Explorer exists but is never used.  Outlook Express
is not on the system.  Scripting server is not on the system.

Black Ice Defender, Zone Alert and Web Washer are all latest
   releases.

Webwasher set to allow initial javascript but blocking all terminating
   js.

UDP Probe history: Usually five per hour or so.

DNS spoofing reported from one ISP regularly.
  Probably irrelevant but this ISP recently had "router
  problems" whose external symptoms were remarkably like the
  ones described in a different thread on this group.
  This ISP ignored e.mail asking for further advice on their DNS spoofs.

GRC.COM Shield's Up consistently reports the system as
  "stealth" and no netbios exposed, as expected.

----------------------------

This Sunday morning I was checking news and weather and got 44
UDP probes in about ten minutes.

I closed all network applications, locked Zone Alert (ZA) and
thought for a bit.

Went to get coffee, sat down again and *then* ZA popped a
message

---------------------------------------
The firewall has blocked Internet access to a388.g.akamai.net
(63.160.183.233) (HTTP) from your computer.

Time: 10/15/00 8:13:08
----------------------------------------

It turns out Akamai is used by CNN, that much is solved.

Why "my computer" was requesting something about two minutes
after Netscape had been terminated escapes me.

Connection killed.

I connected a few times switching ISPs and to and from Black Ice (All fws
latest copies) and got similar results, UDP probes, perhaps one per minute,
not quite the outrageous rate of 44 in ten or eleven minutes of the first
session.

No, they were not front end loaded, pretty evenly distributed in bursts.

I switched back to ZA.  I believe I re-booted but am not 100% on that.

Note that Black Ice Defender was no longer in memory.

Zone Alert was running.  I connected with and ISP with ZA
"locked" and in awhile, not immediately, got this message.
(note blackd is the BI Defender daemon)

---------------------------------------
blackd tried to connect to the Internet (209.198.87.40), but was denied
access by the Internet Lock.

User: *********************
Program: blackd
Time: 10/15/00 9:19:58
------------------------------------------

I Ctrl-Alt-Del to look at the top level running tasks and
neither blackd or Black Ice was listed.

I know there are more detailed task lists, but I did not have
them handy at the moment.

It was pretty clear the system was ill or boggled.
Phantom program requests.

By Noon I had de-installed and re-installed BI and ZA and
Webwasher and was connecting, generally with Zone Alert locked.
Little changed -- usually five UDP probes or so in the first
ten minutes.

A little after that I browsed the same sites that I had in the
morning, then terminated all applications, locked ZA and a few
minutes later got:

------------------------------------------

The firewall has blocked Internet access to 216.15.66.222
(HTTP) from your computer.

Time: 10/15/00 12:38:38

-------------------------------------------------

which is a Microsoft site advertising IIS.

I have not been to a Microsoft site for weeks.  I tend to
avoid them as they do not seem careful about individual's
privacy concerns.


Again ZA was locked and NO internet applications such as
browsers were running.

It was pretty clear that the computer was boggled.

I picked up a Trumpet Winsock 5.0 (great product) but it is
Winsock 1.1 compatible, and the fws and WebWasher require
winsock 2.0.  It browsed great, but no fw support.

De-install Trumpet.


Then

-  Many larger apps were removed (Star Office, Jbuilder, Delphi, ...).

-  Zone Alert, Web Washer and removed.

-  Various document areas backed up again and some zipped
   also.

-  File hashes taken for all files (I generally only do
   C:)

-  The world defragged.

-  The registry cleaned using MS RegClean

-  Zone Alert, Black Ice and Webwasher are re-installed in new
   places.

   - When this is done and the configuration checked, Zone Alert
     shows an App I never approved, JAVA.EXE. I can attest
     that it was not in the webwasher list of programs before.
     I would have noticed, I hate Java for on-line.

     Great.  Who or what got to ZA's list?  Hidden in the
     Registry is my guess.  I remove it.

     I double check and there is no Java.exe on the system now.
     Listed in the registry under a compatibility key?  I remove it.
      - Each of Eudora, Netscape, Opera run separately, the key does
        not re-appear.

     I am almost certain there was one inside the
     Inprise/Borland package which is now removed.
     JAVAxxx's permeate any modern system.


---------------------------

It is now about 19:00 and I reconnect to the internet.

No UDP probes.  No more DNS spoofs.

Three hours of connect time later I have *one* suspicious UDP
probe.

I also tested "hangover requests by locking ZA in the middle of browsing
and not gotten any hangover requests after about 30 seconds.  I see nothing in
the several minute range.

The difficulty with this procedure is that repair took roughly
11 hours and to have single stepped and checked all the way
through for determining an exact cause would have
taken days, which are not available.

A sarcastic and mathematically inclined friend is fond of saying, "Windows
is a reliable state machine as turning it on, or using it, or any change
reliably takes it from one unknown state through an unknowable function to
a new unknown state."

However in the new state:

  Black Ice is reliable and no longer sending messages when it is not
  loaded.  It is not implicated in any way.

  The system is not apparently connecting to Redmond spontaneously.

  The system is no longer asking for things or sending information several
 minutes after the relevant program has been terminated.

  Lower level DLLs may have been altered, however none in C: were.  The
  removal of many apps may have removed attack traces, and as I do not keep
  apps on C:, they did not have hash/signatures anyway.

UDP probes went from a peak of 44 in ten minutes to 0.33 per hour.

I have not seen a DNS spoof.

Something serious changed.

Learnings:

UDP probes and DNS spoofs are not as harmless as some doc indicates.  DNS
Spoofs can be really serious.  Naturally I never went to any account sites
after seeing one.

One of my two ISPs should have answered my e.mail of several
weeks ago about this, but they did not.  I will cheerfully be
an expert witness, or recommend some, that such behavior
does not meet "Due Care" or minimum professional standards
should someone be severely damaged by such ISP behavior.

If you have asked them about such a problem and gotten no response, and
then your bank account is remotely cleaned out, the ISP might bear
considerable liability.

Black Ice is great for other reasons, but ZA has the ability
to block all internet access NOW and report on attempts.  This
is a really good feature.

I recommend that every once in awhile you startup with
everything locked, and also once in awhile shut all network
applications and lock ZA and watch for a few minutes while
still connected.

There are explainable exceptions, but

   Nothing Happening

is the hoped for case.  That is what I get now.

I intend to alternate between BI and ZA every week or two.

If you have only one, it might not be a bad idea, particularly
if you are getting hit, to de-install, RegCLean, re-install in
a different location.  It takes but a few moments and might clean up any
attack leavings.

Of course all my primary passwords are changed.

No particular product was implicated except of course the
Windows Architectural Hairball (Cowpland), but I am almost
but not quite ready to switch to Linux entirely.
-------------------------------------------------
James Nickson, CDP  voice: 603-256-8055
10 Merrifield, W. Chesterfield, NH, 03466-3131