I have had dealings with this problem. We have 40-50 HP's that were
generating ICMP traffic to a certain address. HP's web site mentions nothing
of the problem. Talking to tech support got no answers. They did suggest
that it may be for connectivity testing by the company that made the
keyboard driver. I informed them that it was only a matter of time before
someone considered this a security issue and posted to a firewall mailing
list. (imagine that). The exe actually makes ICMP calls to Winsock for a
hard coded IP. kooky. What happens when a host is put on this address and is
DDoS'd by a faulty multimedia keyboard driver. Can you say 'full disclosure
of pending liability'. There is an update if you want to lose the traffic
but keep the 'nifty volume thingy' at www.netropa.com .
HTH
Shane
[EMAIL PROTECTED]
----- Original Message -----
From: "Steve Coleman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 09, 2001 9:53 AM
Subject: Re: ping activity originating from my home machine
> Last night through a lot of trial and error I narrowed it down to the HP
> "One touch multimedia keyboard" executable. It was generating an ICMP
> ping about once every second. My network sniffer showed that the
> outbound packet was an ICMP echo request which most Win applications do
> not pay much attention to. When I disabled all network IO through
> ZoneAlarm it would complain about the keyboard executable trying to
> connect to the internet but would give very little detail because it was
> ICMP not TCP or UDP. As long as I denied the keyboard from connecting to
> the Internet the sniffer showed that the traffic was no longer there. I
> then uninstalled the keyboard executable and opened up the network
> interface and the rouge ICMP traffic was gone.
>
> I can only think of one good reason for a "keyboard" executable to be
> pinging any machine on the Internet, perhaps to keep a dialup line
> alive. But then I don't dial up! If the binary was part of some kind of
> rootkit I may never know because I had removed it completely from my
> system. I may have to reinstall it just to read the documentation to see
> if there is some kind of keep alive option, but for now I am going to
> assume the worst and monitor my system very heavily looking for other
> abnormalities.
>
> Apparently BlackICE was not making any association between the return
> ICMP timeout packet and the original outbound echo request packet,
> probably due to the differing source and destination addresses. BlackICE
> was therefor thinking that the Internet router that timed out the echo
> request packet was trying to DOS my machine.
>
> Many thanks to the people that pointed me to some really neat tools.
> Unfortunately I have found that for many such tools Win 2000 != WinME
> and I had a number of unresolved dll references. I guess I will just
> have to shell out the bucks to upgrade to Win 2000 professional. At
> least that way I will _know_ what is installed on my system! :-)
>
> --
> Steve Coleman <[EMAIL PROTECTED]> http://www.jhuapl.edu/
> High Performance, fault tolerant, distributed, real-time computing
> <<-------->> Johns Hopkins Applied Physics Laboratory <<--------->>
> Balt:443-778-6330 Fax:443-778-5597 Wash:240-228-6330 Fax:240-228-5597
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
