ASF wierdness

Freemor · 06-05-2006, 01:17 AM

I just had a interesting evening caused by of all things a (what seems to me) very strangely formated .asf file.

Things unfolded like this..

I was listening to a stream on the net while watching
network traffic with etherape, which I do periodically
to ensure that there isn't any network "wierdness"
going on.

I noticed something trying to connect to 192.168.22.5
which most definitely does not exist in my LAN (o.k.
that counts as wierdness)

after a little digging I tracked it down to the Stream
I had been listening to at the time. When I wget'ted
the asf for the stream it was formated like:

Ref1=http://real.ip.addy/name_of_stream
Ref2=http://192.168.22.5:80/name_of_stream

So after all this rambling my question is What is up with that second Ref. Is this some Windows wierdness I don't know of yet? I can't think of any reason that they would put an internal IP addy in an ASF stream descriptor. Anyboy have some idea of what they are trying to accomplish here??

Thanks in advance
Freemor

osor · 06-05-2006, 01:39 AM

I guess it might be an attempt at a virus?

It could also be that the author used buggy software that inadvertently leaked his internal ip.

Freemor · 06-05-2006, 09:36 AM

Well I certianly hope it isn't a virus attempt as it is coming from a major radio station in Toronto's stream.

I've googled that IP addy and there are some indication's that it is one favoured by Cisco routers. If so and if this is there due to buggy code (does seem to be the type of ASF that is assembled on the fly). They are exposing information that might be useful to malicious hackers. not good.

I'm still wondering if it isn't tied into some other malware/spyware or Windows Media Player weirdness for tracking/demographic reasons.

After having been able to sleep on it and mull it further I'm definitely leaning more to the buggy code side.. as I fail to see how making a media player attampt to connect even a hidden virtual adapter with that address would do much, as the content would have to be on one's computer all ready and, if so, there are most likely far more effective methods of using the content.