Rootkit Revealer's helpfile calling out?

Discussion in 'Computer Security' started by John Corliss, Feb 7, 2006.

  1. John Corliss

    John Corliss Guest

    I just installed Sysinternal's Rootkit Revealer on my computer (XP Home
    SP2, fresh install, all current Windows updates installed) and ran it.
    When I open the program's help file, I immediately get alerts from my
    firewall (Kerio) that Rootkit Revealer is trying to connect out:

    'Rootkit detection utility' from your computer wants to connect to
    207.46.156.221, port 80
    (This call is actually to Microsoft!)

    'Rootkit detection utility' from your computer wants to send UDP
    datagram to localhost [127.0.0.1], port 1057
    (I know that this one is to my system)

    'Rootkit detection utility' from your computer wants to connect to
    69-44-123-105.wcg.net [69.44.123.105], port 80

    'Rootkit detection utility' from your computer wants to connect to
    69-44-123-110.wcg.net [69.44.123.110], port 80
    (These last two are to Williams Communications, Incorporated in Tulsa, OK)

    What the heck is going on? What business does a help file have calling
    out to any online address?

    --
    Regards from John Corliss
    John Corliss, Feb 7, 2006
    #1
    1. Advertising

  2. John Corliss

    Moe Trin Guest

    On Tue, 07 Feb 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, John Corliss wrote:

    >I just installed Sysinternal's Rootkit Revealer on my computer (XP Home
    >SP2, fresh install, all current Windows updates installed) and ran it.


    ;-)

    >'Rootkit detection utility' from your computer wants to connect to
    >69-44-123-105.wcg.net [69.44.123.105], port 80
    >
    >'Rootkit detection utility' from your computer wants to connect to
    >69-44-123-110.wcg.net [69.44.123.110], port 80
    >(These last two are to Williams Communications, Incorporated in Tulsa, OK)


    [compton ~]$ whois -h whois.arin.net 69.44.123.105
    [whois.arin.net]
    Williams Communications, Incorporated WCG-BLK-4 (NET-69-44-0-0-1)
    69.44.0.0 - 69.45.255.255
    Akamai Technologies, Inc. WLCO-TWC02103626-AKAMAI-TECH-SANFRANCISCO (NET-69-44-1
    23-96-1)
    69.44.123.96 - 69.44.123.127

    # ARIN WHOIS database, last updated 2006-02-06 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    [compton ~]$

    Why don't you look up Akamai Technologies on google. They are a 'content
    provider' supplying updates, web pages, and advertisements for nice large
    companies like microsoft.

    Old guy
    Moe Trin, Feb 7, 2006
    #2
    1. Advertising

  3. John Corliss

    John Corliss Guest

    Moe Trin wrote:
    > On Tue, 07 Feb 2006, in the Usenet newsgroup alt.computer.security, in article
    > <>, John Corliss wrote:
    >
    >> I just installed Sysinternal's Rootkit Revealer on my computer (XP Home
    >> SP2, fresh install, all current Windows updates installed) and ran it.

    >
    > ;-)
    >
    >> 'Rootkit detection utility' from your computer wants to connect to
    >> 69-44-123-105.wcg.net [69.44.123.105], port 80
    >>
    >> 'Rootkit detection utility' from your computer wants to connect to
    >> 69-44-123-110.wcg.net [69.44.123.110], port 80
    >> (These last two are to Williams Communications, Incorporated in Tulsa, OK)

    >
    > [compton ~]$ whois -h whois.arin.net 69.44.123.105
    > [whois.arin.net]
    > Williams Communications, Incorporated WCG-BLK-4 (NET-69-44-0-0-1)
    > 69.44.0.0 - 69.45.255.255
    > Akamai Technologies, Inc. WLCO-TWC02103626-AKAMAI-TECH-SANFRANCISCO (NET-69-44-1
    > 23-96-1)
    > 69.44.123.96 - 69.44.123.127
    >
    > # ARIN WHOIS database, last updated 2006-02-06 19:10
    > # Enter ? for additional hints on searching ARIN's WHOIS database.
    > [compton ~]$
    >
    > Why don't you look up Akamai Technologies on google. They are a 'content
    > provider' supplying updates, web pages, and advertisements for nice large
    > companies like microsoft.
    >
    > Old guy


    Right, I already did so and you're correct, MS is one of their
    customers. However, my question remains.... why does Rootkit Revealer
    call out /to anything/ when I open its help file?

    --
    Regards from John Corliss
    John Corliss, Feb 7, 2006
    #3
  4. John Corliss

    Ant Guest

    "John Corliss" wrote:

    > Moe Trin wrote:
    >> Why don't you look up Akamai Technologies on google. They are a 'content
    >> provider' supplying updates, web pages, and advertisements for nice large
    >> companies like microsoft.

    >
    > Right, I already did so and you're correct, MS is one of their
    > customers. However, my question remains.... why does Rootkit Revealer
    > call out /to anything/ when I open its help file?


    It doesn't. The Microsoft program (hh.exe) that runs the help file
    (RootkitRevealer.chm) is calling out. Presumably this is standard
    behaviour in case online help is provided. Perhaps the help file
    author can control it. Ask Sysinternals if you are concerned.
    Ant, Feb 7, 2006
    #4
  5. John Corliss

    traveler 66 Guest

    On Tue, 07 Feb 2006 08:04:30 -0800, John Corliss wrote:

    > I just installed Sysinternal's Rootkit Revealer on my computer (XP Home
    > SP2, fresh install, all current Windows updates installed) and ran it.
    > When I open the program's help file, I immediately get alerts from my
    > firewall (Kerio) that Rootkit Revealer is trying to connect out:
    >
    > 'Rootkit detection utility' from your computer wants to connect to
    > 207.46.156.221, port 80
    > (This call is actually to Microsoft!)
    >
    > 'Rootkit detection utility' from your computer wants to send UDP
    > datagram to localhost [127.0.0.1], port 1057
    > (I know that this one is to my system)
    >
    > 'Rootkit detection utility' from your computer wants to connect to
    > 69-44-123-105.wcg.net [69.44.123.105], port 80
    >
    > 'Rootkit detection utility' from your computer wants to connect to
    > 69-44-123-110.wcg.net [69.44.123.110], port 80
    > (These last two are to Williams Communications, Incorporated in Tulsa, OK)
    >
    > What the heck is going on? What business does a help file have calling
    > out to any online address?


    F-Secure has some root kit detection in it's ant-virus now, and they have a
    top quality rep. Some of these free programs may actually be rootkits!
    traveler 66, Feb 8, 2006
    #5
  6. John Corliss

    John Corliss Guest

    traveler 66 wrote:
    > On Tue, 07 Feb 2006 08:04:30 -0800, John Corliss wrote:
    >
    >> I just installed Sysinternal's Rootkit Revealer on my computer (XP Home
    >> SP2, fresh install, all current Windows updates installed) and ran it.
    >> When I open the program's help file, I immediately get alerts from my
    >> firewall (Kerio) that Rootkit Revealer is trying to connect out:
    >>
    >> 'Rootkit detection utility' from your computer wants to connect to
    >> 207.46.156.221, port 80
    >> (This call is actually to Microsoft!)
    >>
    >> 'Rootkit detection utility' from your computer wants to send UDP
    >> datagram to localhost [127.0.0.1], port 1057
    >> (I know that this one is to my system)
    >>
    >> 'Rootkit detection utility' from your computer wants to connect to
    >> 69-44-123-105.wcg.net [69.44.123.105], port 80
    >>
    >> 'Rootkit detection utility' from your computer wants to connect to
    >> 69-44-123-110.wcg.net [69.44.123.110], port 80
    >> (These last two are to Williams Communications, Incorporated in Tulsa, OK)
    >>
    >> What the heck is going on? What business does a help file have calling
    >> out to any online address?

    >
    > F-Secure has some root kit detection in it's ant-virus now, and they have a
    > top quality rep. Some of these free programs may actually be rootkits!


    I'm sure that doesn't apply in this case. Sysinternals is pretty much
    above reproach.

    --
    Regards from John Corliss
    John Corliss, Feb 8, 2006
    #6
  7. John Corliss

    John Corliss Guest

    Ant wrote:
    > "John Corliss" wrote:
    >> Moe Trin wrote:
    >>> Why don't you look up Akamai Technologies on google. They are a 'content
    >>> provider' supplying updates, web pages, and advertisements for nice large
    >>> companies like microsoft.

    >> Right, I already did so and you're correct, MS is one of their
    >> customers. However, my question remains.... why does Rootkit Revealer
    >> call out /to anything/ when I open its help file?

    >
    > It doesn't. The Microsoft program (hh.exe) that runs the help file
    > (RootkitRevealer.chm) is calling out. Presumably this is standard
    > behaviour in case online help is provided.


    That's what I was suspecting. And now I know why so many programs use
    offline web pages, text files and the like for help files.

    > Perhaps the help file
    > author can control it. Ask Sysinternals if you are concerned.


    I've joined one of their forums and posted the question, but not much
    help there yet. Guess I'll just set a rule in Kerio to block it in the
    future.

    --
    Regards from John Corliss
    John Corliss, Feb 8, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GrailKing@oops!.Not.The.Realm.net

    Iwon has explorer.exe calling out

    GrailKing@oops!.Not.The.Realm.net, Jan 17, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    394
    GrailKing@oops!.Not.The.Realm.net
    Jan 18, 2004
  2. Hemant Shah
    Replies:
    10
    Views:
    9,740
    Mr.VoIP
    Sep 8, 2009
  3. =?Utf-8?B?bWNrNjg0?=

    help for rootkit revealer?

    =?Utf-8?B?bWNrNjg0?=, Oct 14, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    393
    =?Utf-8?B?bWNrNjg0?=
    Oct 14, 2006
  4. =?Utf-8?B?bWNrNjg0?=

    Rootkit revealer question

    =?Utf-8?B?bWNrNjg0?=, Oct 14, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    392
    Jack \(MVP-Networking\).
    Oct 14, 2006
  5. Muze Groops

    Where to post root-kit revealer scans

    Muze Groops, Aug 3, 2007, in forum: Computer Support
    Replies:
    4
    Views:
    639
    meerkat
    Aug 3, 2007
Loading...

Share This Page