Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Who knows the 224.0.0.22?

  1. #1
    Junior Member
    Join Date
    Dec 2004
    Posts
    4

    Who knows the 224.0.0.22?

    Hi To All!

    I've used Sygate Personal Firewall for a long time. I've got a question from it regularly, to allow
    programs to connect to the following IP: 224.0.0.22. The programs is different the address is the same.
    The asking programs are : PAINT.EXE; Freecell.exe and more uninteresting randomly selected
    programs.
    I've tried to ask the Sygate Technologies INC. about it more times . They registered my inquiring but didnt answer.

    I'd made a few unsuccessful attemp to find out what makes this. Im using 2 active antivirus
    programs (F-secure and Panda ) , anti spy (Spybot) . I have hardware and software firewalls.

    So, what da HELL IS IT?!!!!! Im frustrated a bit.

    PS:
    Recently I was at my friend. He is using the Sygate too. After his comp booted I saw the Sygate asked to allow PAINT.exe to connect to the 224.0.0.22.!!!!!!!!

    There is one of the details:

    File Version : 4.0.4
    File Description : HotSyncR Manager Application (HOTSYNC.EXE)
    File Path : D:\appz\Palm\HOTSYNC.EXE
    Process ID : 0x6A0 (Heximal) 1696 (Decimal)

    Connection origin : local initiated

    Ethernet packet details:
    Ethernet II (Packet Length: 68)
    Destination: 01-00-5e-00-00-16
    Source: 00-50-8d-4f-8d-aa
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 24 bytes
    Flags:
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 1
    Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
    Header checksum: 0xed82 (Correct)
    Source: 192.168.1.2
    Destination: 224.0.0.22

    Binary dump of the packet:
    0000: 01 00 5E 00 00 16 00 50 : 8D 4F 8D AA 08 00 46 00 | ..^....P.O....F.
    0010: 00 28 00 22 00 00 01 02 : 82 ED C0 A8 01 02 E0 00 | .(."............
    0020: 00 16 94 04 00 00 22 00 : EA 03 00 00 00 01 04 00 | ......".........
    0030: 00 00 EF FF FF FA 54 54 : 50 2F 31 2E 31 0D 0A 48 | ......TTP/1.1..H
    0040: 6F 73 74 3A : | ost:

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    1.
    Time to live: 1
    Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
    answers your question partly:

    TTL[1] of 1 means, it won't leave your LAN.
    The protocol is IGMP[2]

    2.
    for further information check the thread[3]
    which I found by putting "224.0.0.22" in the forum search engine of AO.

    3.
    Just came to my mind: If I remember correctly, Paint and Freecell are programs,
    which are capable to "serve" several users at the same time, e.g. several persons
    on your LAN on different machines can work on the same picture. That's why Paint
    tries to establish such connections.

    Cheers.




    [1] http://www.tcpipguide.com/free/t_IPD...eralFormat.htm
    [2] (1.8 MB pdf) http://www.dataconnection.com/networ.../multicast.pdf
    [3] http://www.antionline.com/showthread...ght=224.0.0.22
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Junior Member
    Join Date
    Dec 2004
    Posts
    4
    I dont feel comfortable.

    1. The "Destination: 01-00-5e-00-00-16" MAC points out of my lan. This absolutely sure.
    2.The old paint.exe is scaning ont the lan without given command and any other trace of his work?

    Why em I paranoid ?

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Maybe you are a bit paranoid
    Anyway, you might just block and forget it. Usually, a home-user
    does not need it.

    Simplified, the MAC address is quite irrelevant on a TCP/IP driven network.
    However, that MAC address is reserved for IP Multicast, in particular the
    whole range 01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF,
    ie it is indeed a good point, that the Destination MAC address is given as it is.

    A good read [1].

    Mapping IP Multicast to MAC-Layer Multicast
    To support IP multicasting, the Internet authorities have reserved the multicast address range of 01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF for Ethernet and Fiber Distributed Data Interface (FDDI) media access control (MAC) addresses. To map an IP multicast address to a MAC-layer multicast address, the low order 23 bits of the IP multicast address are mapped directly to the low order 23 bits in the MAC-layer multicast address. Because the first 4 bits of an IP multicast address are fixed according to the class D convention, there are 5 bits in the IP multicast address that do not map to the MAC-layer multicast address. Therefore, it is possible for a host to receive MAC-layer multicast packets for groups to which it does not belong. However, these packets are dropped by IP once the destination IP address is determined.

    For example, the multicast address 224.192.16.1 becomes 01-00-5E-40-10-01. To use the 23 low order bits, the first octet is not used, and only the last 7 bits of the second octet is used. The third and fourth octets are converted directly to hexadecimal numbers. The second octet, 192 in binary is 11000000. If you drop the high order bit, it becomes 1000000 or 64 (in decimal), or 0x40 (in hexadecimal). For the next octet, 16 in hexadecimal is 0x10. For the last octet, 1 in hexadecimal is 0x01. Therefore, the MAC address corresponding to 224.192.16.1 becomes 01-00-5E-40-10-01.

    Token Ring uses this same method for MAC-layer multicast addressing. However, many Token Ring network adapters do not support it. Therefore, by default, the functional address 0xC0-00-00-04-00-00 is used for all IP multicast traffic sent over Token Ring networks. For more information about Token Ring support for IP multicasting, see RFC 1469.



    Cheers

    [1] http://www.microsoft.com/technet/com...uy/cg0202.mspx
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  5. #5
    Junior Member
    Join Date
    Dec 2004
    Posts
    4
    • 224.0.0.0/24 is the link-local scope region. Traffic sent to these addresses is only
    transmitted over a single link. This is used for control traffic, for example that from
    multicast routing protocols.

    Perhaps it is a multicast address, but it was addressing a single physical (MAC) address.
    Would it be an atempt to establish a per to peer contact?

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    PAINT.EXE; Freecell.exe are both malware. Remove them immediatly.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Maybe I am not paranoid enough...

    Since we did not get an accurate description of the filename,
    I assumed %SystemRoot%\System32\mspaint.exe and
    %SystemRoot%\System32\freecell.exe, which are legitimate
    Windows XP programs and might show the above described behaviour.

    Malware would not try to connect to multicast addresses
    using the corresponding MAC address and setting TTL=1,
    I guess.

    Anyway, cacosapo, since you raised that issue, it might be worth
    to check carefully the validity of these executables (ie exact name,
    coordinates and compare MD5-hashes).


    Cheers.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    - freecell.exe --> http://securityresponse.symantec.com...llw.astef.html
    since i have freecell and it NEVER tried to go to network im assuming this is a malware
    - paint.exe --> isnt it MSpaint.exe? and how it goes to network? its a malware to me.
    - doing multicast is an excellent way to infect a lan. Im still digging about those to find more info.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    paint.exe Added by a variant of the WIN32.AGENT.AH downloader TROJAN

    File Freecell.exe is related to worm W32.HLLW.Respan.

    Been downloading some programs that we should have paid for, have we?
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I learned, it is better to assume the worst case
    instead of relying on "old" known stuff.

    If anyone can provide me/us with information
    about malware using multicast to penetrate a LAN,
    that'll be great. Thanks cacosapo for pointing
    this out.
    I usually read the distribution methods on the
    virii/worms description pages, but didn't stumble
    across multicasting there.


    damage2, I am very interested of what you find.
    I apologize for having been too incautious.

    Cheers
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •