RE: Synaptics TouchPad, strange packets.

From: Marcus Blankenship (MarcusB@JELD-WEN.com)
Date: Tue Nov 27 2001 - 14:34:57 PST

Next message: Chris: "Re: Malicious use of grc.com"

Previous message: Valerio B.: "Synaptics TouchPad, strange packets."
Maybe in reply to: Valerio B.: "Synaptics TouchPad, strange packets."
Next in thread: Zen: "Re: Synaptics TouchPad, strange packets."
Next in thread: Anthony Kim: "Re: Synaptics TouchPad, strange packets."
Reply: Zen: "Re: Synaptics TouchPad, strange packets."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found a very similar problem, and did the same thing.  Also, I found that
the TouchPad program was taking up a LOT of CPU time, even when it was
docked.  My performance improved dramatically when I did this.  Very
strange.

Marcus


> -----Original Message-----
> From:	Valerio B. [SMTP:supportat_private]
> Sent:	Tuesday, November 27, 2001 11:59 AM
> To:	Vuln-Dev; SecProg; Focus-IDS; Focus-Virus
> Subject:	Synaptics TouchPad, strange packets.
> 
> My firewall captured a packet outgoing from my laptop, originated by the
> Synaptics TouchPad program, to a destination address that has nothing to
> do
> with the Synaptics network. I verified that the destination address is an
> host located in Finland.
> I now blocked the Synaptics TouchPad program. As you can see the checksums
> are incorrect.
> I currently don't have the tools to do analysis on my own, and I found my
> laptop being free from known viruses, so I am submitting this for analysis
> by the community.
> 
> Valerio B.
> 
> 
> The packet decode is included below:
> ******************************************
> File Version :  5.0.62 13Mar00
> File Description : Synaptics TouchPad Enhancements
> File Path :  C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
> Process ID :  FFFDEA69 (Heximal) 4294830697 (Decimal)
> 
> Connection origin : local initiated
> Protocol :  UDP
> Local Address :  xxx.xx.xxx.xxx
> Local Port :  17697
> Remote Name :
> Remote Address : xxx.xxx.xxx.x
> Remote Port :   65280
> 
> Ethernet packet details:
> Ethernet II (Packet Length: 64)
>  Destination:  xx-xx-xx-xx-xx-xx
>  Source:  xx-xx-xx-xx-xx-xx
> Type: IP (0x0800)
> Internet Protocol
>  Version: 4
>  Header Length: 20 bytes
>  Flags:
>   .0.. = Don't fragment: Not set
>   ..0. = More fragments: Not set
>  Fragment offset:69
>  Time to live: 128
>  Protocol: 0x11 (UDP - User Datagram Protocol)
>  Header checksum: 0xf8eb (Correct)
>  Source: xxx.xx.xxx.xxx
>  Destination: xxx.xxx.xxx.x
> User Datagram Protocol
>  Source port: 17697
>  Destination port: 65280
>  Length: 8
>  Checksum: 0x52f9 (Incorrect - Checksum should be 0x396b)
> Data (38509 Bytes)
> 
> Binary dump of the packet:
> 0000:  xx xx xx xx xx xx xx xx : xx xx xx xx 08 00 45 00 |
> SRC..DEST....E.
> 0010:  00 32 9D D3 00 45 80 11 : EB F8 D4 0F A2 F0 C1 A6 |
> .2...E..........
> 0020:  78 03 45 21 FF 00 96 6D : F9 52 B9 57 29 C8 0A B9 |
> x.E!...m.R.W)...
> 0030:  04 60 E6 99 54 48 B4 1A : 00 4A 28 03 FF D9 FF FF |
> .`..TH...J(.....
> ******************************************

Next message: Chris: "Re: Malicious use of grc.com"
Previous message: Valerio B.: "Synaptics TouchPad, strange packets."
Maybe in reply to: Valerio B.: "Synaptics TouchPad, strange packets."
Next in thread: Zen: "Re: Synaptics TouchPad, strange packets."
Next in thread: Anthony Kim: "Re: Synaptics TouchPad, strange packets."
Reply: Zen: "Re: Synaptics TouchPad, strange packets."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 17:27:40 PST