Unknown svchost.exe DNS port 53 network activity

This is regarding a Windows XP Professional PC. I noticed heavy
activity on my router as well as my PC LAN connection icon in the tray.
After some digging appears to be a svchost process that is listening on
port 53 with a remote address of my ISP's DNS server. My router is not
set to forward DNS traffic to a specific system, and I don't run any
DNS servers.

I am worried about this process since there's a lot of data being
transmitted/received and it's starting to introduce delays with my web
connections, and seems to be affecting available bandwidth as well.

The following have not identified any viruses or other malware:

AntiVir antivirus
Avast antivirus
Spybot S&D
Ad Aware
AVG antispyware

I got the following information for the related process from Port
Explorer

Command line: c:\windows\system32\svchost.exe -k Network Service

Killing this process returns everything to "normal" with port 53
traffic stopped and all other applications working fine.

Any help explaining this activity and how to disable it would be
greatly appreciated. Is this something normal with Windows I may have
missed?

Thanks,
Raffi

Re: Unknown svchost.exe DNS port 53 network activity

"Raffi" wrote in message
news:1166648972.302288.17030@79g2000cws.googlegroups.com...
> This is regarding a Windows XP Professional PC. I noticed heavy
> activity on my router as well as my PC LAN connection icon in the tray.
> After some digging appears to be a svchost process that is listening on
> port 53 with a remote address of my ISP's DNS server. My router is not
> set to forward DNS traffic to a specific system, and I don't run any
> DNS servers.
>

No traffic can come to the machine, unless you have opened the inbound port
by using port forwarding on the router, which allows unsolicited in bound
traffic to reach a machine . The machine may or may not be listening on the
forwarded port. On the other hand, if a computer has made a solicitation for
inbound traffic by sending outbound traffic to a remote IP, then solicited
traffic is going to be let back through the router or a firewall, because
the machine behind them made the solicitation.


> I am worried about this process since there's a lot of data being
> transmitted/received and it's starting to introduce delays with my web
> connections, and seems to be affecting available bandwidth as well.

Svchost.exe which should be running out of the Windows/System32 directory,
otherwise it's a Trojan, does nothing on its own. It does the bidding for
the O/S and its programs and other programs as well, it does the hosting.
Svchost allows the communication between machines in a LAN or WAN situation.
However, you should be aware of what Svchost is connecting to as malware can
be hosted by Svchost.exe as well.

I suspect the machine was just communicating with the ISP DNS servers as the
machine with it's O/S have made the solicitation for traffic

>
> The following have not identified any viruses or other malware:
>
> AntiVir antivirus
> Avast antivirus
> Spybot S&D
> Ad Aware
> AVG antispyware

Malware can circumvent and defeat every last bit of it.

http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

>
> I got the following information for the related process from Port
> Explorer
>
> Command line: c:\windows\system32\svchost.exe -k Network Service
>
> Killing this process returns everything to "normal" with port 53
> traffic stopped and all other applications working fine.
>
How can that be? If you cutoff the traffic on port 53, then how is any
machine with an application running where a URL is invloved, look up the WAN
IP that belongs to the URL, an application such as a browser accessing the
Web site that WAN IP points to? That's what the ISP''s Domain Name Server is
for is to take a URL that has been given on its network and convert it to
WAN IP so that an application can use the IP to go to a site.

It could be with a browser, that any Web page you're accessing has been
cached on the machine and is why you're thinkng nothing is wrong.

> Any help explaining this activity and how to disable it would be
> greatly appreciated. Is this something normal with Windows I may have
> missed?

If you suspect something, then use the proper tools and look for yourself. A
tool like Process Explorer will let you look inside any running process and
see the exe, dll, ect, ect or processes that are being hosted by a process
such as Svchost.exe. I suspect there is nothing wrong with communications
between a computer and the ISP's DNS server.

Long
http://www.windowsecurity.com/articles/Hidden_Backdoors_Troj an_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

Re: Unknown svchost.exe DNS port 53 network activity

It's probably George Saint Pierre doing it.

Raffi wrote:

> This is regarding a Windows XP Professional PC. I noticed heavy
> activity on my router as well as my PC LAN connection icon in the tray.
> After some digging appears to be a svchost process that is listening on
> port 53 with a remote address of my ISP's DNS server. My router is not
> set to forward DNS traffic to a specific system, and I don't run any
> DNS servers.
>
> I am worried about this process since there's a lot of data being
> transmitted/received and it's starting to introduce delays with my web
> connections, and seems to be affecting available bandwidth as well.
>
> The following have not identified any viruses or other malware:
>
> AntiVir antivirus
> Avast antivirus
> Spybot S&D
> Ad Aware
> AVG antispyware
>
> I got the following information for the related process from Port
> Explorer
>
> Command line: c:\windows\system32\svchost.exe -k Network Service
>
> Killing this process returns everything to "normal" with port 53
> traffic stopped and all other applications working fine.
>
> Any help explaining this activity and how to disable it would be
> greatly appreciated. Is this something normal with Windows I may have
> missed?
>
> Thanks,
> Raffi

Re: Unknown svchost.exe DNS port 53 network activity

Raffi wrote:
> This is regarding a Windows XP Professional PC. I noticed heavy
> activity on my router as well as my PC LAN connection icon in the
> tray. After some digging appears to be a svchost process that is
> listening on port 53 with a remote address of my ISP's DNS server. My
> router is not set to forward DNS traffic to a specific system, and I
> don't run any DNS servers.

Maybe the DNScache service? It shouldn't be listening on port 53,
though. What's the output of "netstat -anob"?

> I am worried about this process since there's a lot of data being
> transmitted/received and it's starting to introduce delays with my web
> connections, and seems to be affecting available bandwidth as well.

Usually you'd inspect the traffic with a sniffer (e.g. Wireshark [1]) to
get an idea of what's actually transmitted.

[...]
> I got the following information for the related process from Port
> Explorer
>
> Command line: c:\windows\system32\svchost.exe -k Network Service

Could indeed be DNScache, but check the netstat output to make sure.

[1] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich