- Posts: 1700
- Thank you received: 0
Norton Liveupdate musings
20 years 11 months ago #2085
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Norton Liveupdate musings was created by sahirh
I'm not a fan of automatic update programs... I'm one of those idiots who has a computer that will do things automatically and I insist on doing it manually... that said... i really don't like automatic update programs.
However when it comes to virus definitions I leave norton's liveupdate on... so every so often it grabs a few 100kb instead of me having to download 3-4 MB files.
Anyway I was bored so I was watching connections in TCPView (I'm on medication that is suppress this urge) and I find lucom~1.exe connecting HTTP to a wierd IP... an Indian IP (yes I can magically look at IP addresses and tell which geographical region they're from.. you can gain access to the cool tutorial that teaches this by voting for us at alexa and writing a five star review).
I figured it wasn't that strange, maybe they have an Indian mirror for the liveupdates.. not that I like the idea of that, because you don't know how secure the mirror you're downloading from is. So I whois'd etc the IP..
It seems to belong to a company called Jasubhai ... all you Indians will know this must be Jasubhai Digital Media the people who publish Chip computer magazine in India...
I hit the webserver and it runs Akamai Ghost (Thats part of the Akamai cacheing system that lotsa big companies like microsoft uses isn't it ?) and the webserver doesn't understand normal HTTP requests...
While this is probably not a security issue, I'm very intrigued in figuring out the liveupdate session and its protocol.. I'm not in a position to capture packets (ppp connection woes ) If anyone has a capture of a liveupdate session I'd really like to have a look at it...
If you're from a different geographical region you could lemme know where your liveupdate connects to... if lots of people find regional IPs then I'll be much more at ease.
Sorry about the massive post, I'm just quite intrigued by this.
However when it comes to virus definitions I leave norton's liveupdate on... so every so often it grabs a few 100kb instead of me having to download 3-4 MB files.
Anyway I was bored so I was watching connections in TCPView (I'm on medication that is suppress this urge) and I find lucom~1.exe connecting HTTP to a wierd IP... an Indian IP (yes I can magically look at IP addresses and tell which geographical region they're from.. you can gain access to the cool tutorial that teaches this by voting for us at alexa and writing a five star review).
I figured it wasn't that strange, maybe they have an Indian mirror for the liveupdates.. not that I like the idea of that, because you don't know how secure the mirror you're downloading from is. So I whois'd etc the IP..
It seems to belong to a company called Jasubhai ... all you Indians will know this must be Jasubhai Digital Media the people who publish Chip computer magazine in India...
I hit the webserver and it runs Akamai Ghost (Thats part of the Akamai cacheing system that lotsa big companies like microsoft uses isn't it ?) and the webserver doesn't understand normal HTTP requests...
While this is probably not a security issue, I'm very intrigued in figuring out the liveupdate session and its protocol.. I'm not in a position to capture packets (ppp connection woes ) If anyone has a capture of a liveupdate session I'd really like to have a look at it...
If you're from a different geographical region you could lemme know where your liveupdate connects to... if lots of people find regional IPs then I'll be much more at ease.
Sorry about the massive post, I'm just quite intrigued by this.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2087
by Neon
Replied by Neon on topic Re: Norton Liveupdate musings
I captured a session of live update and it connects to 61.9.129.201. Don't know if its the same IP address which you described.
I would post the captured file, but I'm out on anywhere to store it.
This page got any data dump? If not, it should
I would post the captured file, but I'm out on anywhere to store it.
This page got any data dump? If not, it should
20 years 11 months ago #2088
by tfs
Thanks,
Tom
Replied by tfs on topic Re: Norton Liveupdate musings
I'm not sure which IP mine is connecting to - where are you finding this?
I only let Live update for Norton work, as you need to make sure the viruses are updated NOW. Could be a problem if you do it manually and forget to do it.
But I don't automatically update anything else. I have been severely screwed before (happened with Sql Server 6.5 - where the update wiped out your data if you were on version 3, I believe). That was not fun. Never again.
:evil: :evil:
I only let Live update for Norton work, as you need to make sure the viruses are updated NOW. Could be a problem if you do it manually and forget to do it.
But I don't automatically update anything else. I have been severely screwed before (happened with Sql Server 6.5 - where the update wiped out your data if you were on version 3, I believe). That was not fun. Never again.
:evil: :evil:
Thanks,
Tom
20 years 11 months ago #2089
by Neon
Replied by Neon on topic Re: Norton Liveupdate musings
tfs,
I found the IP it was connecting to through ettercap a capture program. But a more appropriate program would be TCPView posted by sahirh here www.firewall.cx/modules.php?name=Forums&...=viewtopic&t=259
It's basically a very nice GUI version of netstat
I found the IP it was connecting to through ettercap a capture program. But a more appropriate program would be TCPView posted by sahirh here www.firewall.cx/modules.php?name=Forums&...=viewtopic&t=259
It's basically a very nice GUI version of netstat
20 years 11 months ago #2091
by tfs
Thanks,
Tom
Replied by tfs on topic Re: Norton Liveupdate musings
Actually, I used TCPView and when I ran LiveUpdate, it was going to 207.151.118.142.
Thanks,
Tom
Time to create page: 0.131 seconds