Hello,
Lots of good advice and counsel from the experts here, and now I need some of that, please.
For the past three days, I am seeing a lot of my Firewall Events in the COMODO 4.0 list are reporting Blocked from reaching Destination IP 127.0.0.1.
I recognize that IP, it is (of course) in the HOSTS file in my Windows XP Pro SP3 (x86) PC. Previously, this was hardly ever seen, and the destination IPs listed were formerly my Primary DNS or one of the two alternates, that show up in my Local Area Connection Status (Windows). The Source IP is usually my PC’s IP. All the others are showing 0.0.0.0, and I do not understand that IP. Does it relate to my PC?
Back last Fall, I was seeing my old firewall reporting that source programs on my PC were trying to connect to irc.zief.pl, and other URIs that are known to be associated with the W32/Virut polymorphic file infector. I think I halted those contacts by adding those URIs to my HOSTS file. Source programs were Windows explorer.exe, svchost.exe, Iexplore.exe, and also Firefox, Java Quick Starter, winword.exe, etc.
This morning, at logon, Comodo reports explorer.exe and svchost.exe were blocked from 127.0.0.1. I don’t think it is normal for those programs to send anything to 127.0.0.1 at logon to Windows; I suspect that this might be a HOSTS file redirection of a request generated by a malware infection. Maybe it is the Virut or another malware that infected these files. Does anybody have any good knowledge on these events? Is there any way in Comodo to determine what was the Destination hostname that was generated for a firewall event, the hostname that the HOSTS file blocked?
Here’s some more info, FYI for all viewers, on this manifestatioin of my insecurity -
COMODO Firewall 4.0.13877.779 was installed a few days ago in my Windows XP Pro SP3 (x86) PC. I had Uninstalled v3.13 and the M$ Security Essentials (M$SE) first. Reinstalled M$SE after installing COMODO 4, and full-scanned the system with M$SE, and it quarantined a file infected with Win32/Pdfjsc.J that it found in a Firefox cache in my Guest user account (UA). This bad guy had been found also on 3/24 and 3/29 and 4/2 in Firefox cache folder, in either the Guest or an admin UA or both, on different days. The M$SE full scan overnight last night found nothing to object to. So, maybe the system is good for the moment.
I will be grateful if you can suggest whether trying to connect to the 127.0.0.1 is a routine thing for the Windows executables that I named in the msg above. If they are not routine, I expect that those executables must be infected with some malware that is trying to connect to a bad host, but a host that is being redirected by my MVPS Hosts file. Then, I will need to poke around for some extra good methods of diagnosing and cleaning my system of this unknown (so far, to me) malware. Hoping I can avoid a wipe and reload ...
127.0.0.1 is the loopback address, or to put it another way your local host and that is all it pertains to, it’s not a valid address for Internet usage.
The loopback mechanism is a way certain types od application communicate internally with them selves. Typically it’s used by applications form Mozilla, such as firefox and thunderbird, although there are many others that use this mechanism.
Typically, there will be a rule to allow either TCP or UDP (sometimes both) OUT (sometimes in) to 127.0.0.1 with a port of ANY.
The irc communication is something you really need to explore as it’s indicative of a PC that has become part of a Bot network and is q way of being able to communicate with the Command and Control centre. Basically, your PC may be a zombie in a bot network.
I don’t know anything about comodos ability to detect these things as I only use the firewall component (although not at the moment) You can always check these tools:
TNX, Das. I will try exploring these phenomena and might need to get back to you.
I see in Predefined Firewall Policies, that there is a policy named Web Browser, that includes a rule named Allow Access to Loopback Zone. This rule allows IP Out to Loopback Zone. This supports your understanding that Mozilla apps including Firefox carry a rule like this, but it is currently set to protocol IP , and I understand that this setting allows all protocols, at least TCP, UDP, ICMP, IGMP (is there really an IGMP?).
Is IP also the name of a unique protocol that exists on the Internet?
Should I be re-setting this Rule to TCP only or UDP only, or both? There is so much that I don’t know.
BTW, I cannot find anywhere in COMODO that Loopback Zone is defined as to IP number like 127.0.0.1 - the v4.0 seems to have eliminated the facility that v3.13 offered, of defining My Zones, that would be allowed or denied in the Rules. There is only a link for My Blocked Zones. But we do not want to block the Loopback Zone. Right now, all I want is to review its contents.
I understand from you that it is not a normal thing for WINDOWS\svchost.exe and explorer.exe to try to connect to the Loopback zone.
I will try some things and maybe get back to you later.
This supports your understanding that Mozilla apps including Firefox carry a rule like this, but it is currently set to protocol IP , and I understand that this setting allows all protocols, at least TCP, UDP, ICMP, IGMP
loopback interface supports all main IP transports, so it’s easier to use the [IP] definition that to list all transports individually.
(is there really an IGMP?).
Yes. Internet Group Management Protocol. It’s used to support multicast groups.
Is IP also the name of a unique protocol that exists on the Internet?
IP is the Internet Protocol. its part of a much larger protocol suite, which we generally refer to as TCP/IP
Should I be re-setting this Rule to TCP only or UDP only, or both? There is so much that I don't know.
No. see above.
BTW, I cannot find anywhere in COMODO that Loopback Zone is defined
As I said before, i don’t have the product installed at the moment, but if I remember correctely, in V4 the network zones were moved to the Network security policy tab.
I understand from you that it is not a normal thing for WINDOWS\svchost.exe and explorer.exe to try to connect to the Loopback zone.
in my experience, it’s unnecessary for standard Windows services to use loopback.
I guess there is always the possibility that some other application making use of one of these standard services, could initiate a call. Just a guess.
The discussion regarding TCP/IP is really beyond these forums. You would do as well to check out something like wikipedia or some other online resource like Firewallcx Alternative Menu
I understand from you that it is not a normal thing for WINDOWS\svchost.exe and explorer.exe to try to >connect to the Loopback zone.
in my experience, it’s unnecessary for standard Windows services to use loopback.
I guess there is always the possibility that some other application making use of one of these standard services, could initiate a call. Just a guess.
[color=blueThanks, I was thinking the same thing, that XP Pro executables were not expected to contact Loopback. My own guess is, this is a W32/Virut or other malware insertion in explorer.exe and svchost.exe, that they are trying to get out to ircd.zief.pl for instructions, and this is being redirected by my HOSTS file to the Loopback. (I saw that happening from explorer and svchost, multiple tries on every startup, when I was running ZoneAlarm last Fall; ZA named the destination with the URL rather than the IP, that is how I could identify the action as probably malicious.)
[/color]
Quote
The discussion regarding TCP/IP is really beyond these forums. You would do as well to check out something like wikipedia or some other online resource like Firewallcx Alternative Menu
Only wanted to know whether changing protocols in the rule would be better security. Didn’t think that question was beyond the forum, was not trying to cause trouble. I’ll stop talking protocols now. I do have a large HOSTS file, using the MVPS augmentation with over 900 additional sites redirected to Loopback.
If you please, can you advise on whether the HOSTS file in XP is so positioned as to be capable of redirecting such an exploit to the Loopback as observed? and is Comodo’s Firewall Event logger capable of observing and reporting this as an attempt(s) from this/these Windows file(s) to send to the Loopback?
Only wanted to know whether changing protocols in the rule would be better security. Didn't think that question was beyond the forum, was not trying to cause trouble. I'll stop talking protocols now.
Please don’t misconstrue my comment, TCP/IP is a complex subject and whilst it’s quite possible to answer simple queries, regarding the more obvious parts of the suite, getting into the ‘nitty gritty’ would be beyond the scope of these forums. The links proffered were merely some additional reading to pad out your knowledge.
If you please, can you advise on whether the HOSTS file in XP is so positioned as to be capable of redirecting such an exploit to the Loopback as observed? and is Comodo's Firewall Event logger capable of observing and reporting this as an attempt(s) from this/these Windows file(s) to send to the Loopback?
I’ve never had the need for a hosts file, so anything I say will have to be verified. As far as I’m aware, if a requested address matches one in the hosts file it will be redirected and thus be prevented from making a ‘real’ connection. The problem of course, is if there is no match. The other potential danger is that hosts files can be compromised.
In your case the virus will:
The virus then modifies the hosts file by adding 127.0.0.1 ZieF.pl It then opens a back door by joining an irc channel controlled by the remote attacker, typically on * irc.zief.pl - TCP port 80
In my opinion, the most important thing you have to do right now is make sure you have eradicated this malware, only then would I worry about anything else.
As far a the firewall logging these events, I think you’ll find that events will only be captured in the logs, if logging has been enabled to capture that event type. that is something you would have to do in your firewall rules.
Hi, i’m quite a noob on firewall matters, but this exact same issue is bugging me as well. I see lot’s of outgoing requests going to loopback adapter (=my local computer) address, 127.0.0.1 (that’s destination ip, for example for Internet exploirer program). But this info, don’t reveal if request is stopping there or forwarded to public internet to other final destination ip address? This is main issue i would like to resolve.
Here is attached couple of example images of this problem what i see on my machine. Could one solution be testing removal of loopback zone -alltogether from Comodo Network zones -tab? Would that be wise in security sense and help to see then, if outgoing traffic will continue from loopback adapter (local machine) to public internet?
I’m using Comodo Firewall 5.9 (without AV) with Avast as Antivirus program, not sure if Avast too want’s to operate in loopback zone for scanning network traffic.
As far as I know Avast does (or did) use the 127.0.0.1 loopback address extensively for its Web & Network protection components. I think it runs a local proxy that it pipes all Internet traffic through. But, you’ll need to confirm this with someone that is up to-date on Avast… it’s been awhile since I ran it myself.
That makes now lot of sense. So Avast antivirus (avastsvc.exe) will catch up outbounding traffic from local machine loopback zone (127.0.0.1) on port 12080 (or similar), and act’s as a “middleman” to carry on traffic forward to public internet, if i interpreted that correctly.
That was very good info, so with Comodo firewall + Avast, one can try look then avastsvc.exe for what IP the traffic actually ends. Nice thanks a lot for help both of you!
