Solved Legitimate Windows Update traffic?

[Resolved] Legitimate Windows Update traffic?

I am in the process of cleaning up a Mebroot root kit infection, and so far it is looking good. I am not sure if this traffic that I see on the Pix firewall after boot and prior to logging on to the (XP) system is legitimate. This appears to be the case, but 70.37.129.93 resolves to cds88.ewr9.llnw.net (Limelight Networks), which does not seem to be right. Is this the root kit trying to reinstall itself, using a mechanism that looks like Windows Update?


65.55.52.84
/v8/microsoftupdate/redir/muv3muredir.cab?0904041351

00000020: 48 45 41 44 20 2f 76 38 | HEAD /v8
00000030: 2f 6d 69 63 72 6f 73 6f 66 74 75 70 64 61 74 65 | /microsoftupdate
00000040: 2f 72 65 64 69 72 2f 4d 55 41 75 74 68 2e 63 61 | /redir/MUAuth.ca
00000050: 62 3f 30 39 30 34 30 34 31 33 35 30 20 48 54 54 | b?0904041350 HTT
00000060: 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a | P/1.1..Accept: *
00000070: 2f 2a 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 | /*..User-Agent:
00000080: 57 69 6e 64 6f 77 73 2d 55 70 64 61 74 65 2d 41 | Wind

(then sends quite a bit of binary data to this IP)


70.37.129.93
/v8/microsoftupdate/redir/muv3muredir.cab?0904041350

00000020: 48 45 41 44 20 2f 76 38 | HEAD /v8
00000030: 2f 6d 69 63 72 6f 73 6f 66 74 75 70 64 61 74 65 | /microsoftupdate
00000040: 2f 72 65 64 69 72 2f 6d 75 76 33 6d 75 72 65 64 | /redir/muv3mured
00000050: 69 72 2e 63 61 62 3f 30 39 30 34 30 34 31 33 35 | ir.cab?090404135
00000060: 30 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 | 0 HTTP/1.1..Acce
00000070: 70 74 3a 20 2a 2f 2a 0d 0a 55 73 65 72 2d 41 67 | pt: */*..User-Ag
00000080: 65 6e 74 3a 20 57 69 6e 64 6f 77 73 2d 55 70 64 | ent:


70.37.129.92
GET /msdownload/update/software/dflt/2008/05/1271848_bb1118204437536ac97

00000020: 47 45 54 20 2f 6d 73 64 | GET /msd
00000030: 6f 77 6e 6c 6f 61 64 2f 75 70 64 61 74 65 2f 73 | ownload/update/s
00000040: 6f 66 74 77 61 72 65 2f 64 66 6c 74 2f 32 30 30 | oftware/dflt/200
00000050: 38 2f 30 35 2f 31 32 37 31 38 34 38 5f 62 62 31 | 8/05/1271848_bb1
00000060: 31 31 38 32 30 34 34 33 37 35 33 36 61 63 39 37 | 118204437536ac97


70.37.129.92
GET /msdownload/update/software/dflt/2008/06/1312876_dc77d655e6bee0efdb65ebc87b8caec918419ca

00000020: 47 45 54 20 2f 6d 73 64 | GET /msd
00000030: 6f 77 6e 6c 6f 61 64 2f 75 70 64 61 74 65 2f 73 | ownload/update/s
00000040: 6f 66 74 77 61 72 65 2f 64 66 6c 74 2f 32 30 30 | oftware/dflt/200
00000050: 38 2f 30 36 2f 31 33 31 32 38 37 36 5f 64 63 37 | 8/06/1312876_dc7
00000060: 37 64 36 35 35 65 36 62 65 65 30 65 66 64 62 36 | 7d655e6bee0efdb6
00000070: 35 65 62 63 38 37 62 38 63 61 65 63 39 31 38 34 | 5ebc87b8caec9184
00000080: 31 39 63 61 32 2e 63 61 62 20 48 54 54 50 2f 31 | 19ca


70.37.129.93
GET /msdownload/update/software/dflt/2008/12/2043841_238851401f688aac14532eae9f5f60b6f49c119

00000020: 47 45 54 20 2f 6d 73 64 | GET /msd
00000030: 6f 77 6e 6c 6f 61 64 2f 75 70 64 61 74 65 2f 73 | ownload/update/s
00000040: 6f 66 74 77 61 72 65 2f 64 66 6c 74 2f 32 30 30 | oftware/dflt/200
00000050: 38 2f 31 32 2f 32 30 34 33 38 34 31 5f 32 33 38 | 8/12/2043841_238
00000060: 38 35 31 34 30 31 66 36 38 38 61 61 63 31 34 35 | 851401f688aac145
00000070: 33 32 65 61 65 39 66 35 66 36 30 62 36 66 34 39 | 32eae9f5f60b6f49
00000080: 63 31 31 39 35 2e 63 61 62 20 48 54 54 50 2f 31 | c119


70.37.129.93
GET /msdownload/update/software/dflt/2008/08/1480514_46ba15120b76720fd51d5707c01db177c99 14bb

00000020: 47 45 54 20 2f 6d 73 64 | GET /msd
00000030: 6f 77 6e 6c 6f 61 64 2f 75 70 64 61 74 65 2f 73 | ownload/update/s
00000040: 6f 66 74 77 61 72 65 2f 64 66 6c 74 2f 32 30 30 | oftware/dflt/200
00000050: 38 2f 30 38 2f 31 34 38 30 35 31 34 5f 34 36 62 | 8/08/1480514_46b
00000060: 61 31 35 31 32 30 62 37 36 37 32 30 66 64 35 31 | a15120b76720fd51
00000070: 64 35 37 30 37 63 30 31 64 62 31 37 37 63 39 39 | d5707c01db177c99
00000080: 31 34 62 62 63 2e 63 61 62 20 48 54 54 50 2f 31 | 14bb


70.37.129.93
GET /msdownload/update/software/dflt/2008/10/1758923_953845f90b58ab1fabe3ab5f34361b5407b cdab

00000020: 47 45 54 20 2f 6d 73 64 | GET /msd
00000030: 6f 77 6e 6c 6f 61 64 2f 75 70 64 61 74 65 2f 73 | ownload/update/s
00000040: 6f 66 74 77 61 72 65 2f 64 66 6c 74 2f 32 30 30 | oftware/dflt/200
00000050: 38 2f 31 30 2f 31 37 35 38 39 32 33 5f 39 35 33 | 8/10/1758923_953
00000060: 38 34 35 66 39 30 62 35 38 61 62 31 66 61 62 65 | 845f90b58ab1fabe
00000070: 33 61 62 35 66 33 34 33 36 31 62 35 34 30 37 62 | 3ab5f34361b5407b
00000080: 63 64 61 62 65 2e 63 61 62 20 48 54 54 50 2f 31 | cdab

70.37.129.93
GET /msdownload/update/software/dflt/2009/02/2416706_09382a3cc5cb81155c0287d8bfd2fa557be8bc3

00000020: 47 45 54 20 2f 6d 73 64 | GET /msd
00000030: 6f 77 6e 6c 6f 61 64 2f 75 70 64 61 74 65 2f 73 | ownload/update/s
00000040: 6f 66 74 77 61 72 65 2f 64 66 6c 74 2f 32 30 30 | oftware/dflt/200
00000050: 39 2f 30 32 2f 32 34 31 36 37 30 36 5f 30 39 33 | 9/02/2416706_093
00000060: 38 32 61 33 63 63 35 63 62 38 31 31 35 35 63 30 | 82a3cc5cb81155c0
00000070: 32 38 37 64 38 62 66 64 32 66 61 35 35 37 62 65 | 287d8bfd2fa557be
00000080: 38 62 63 33 64 2e 63 61 62 20 48 54 54 50 2f 31 | 8bc3

 

Never mind

False alarm: 70.37.129.93 (mscom-wuiecnb2ewr.vo.llnwd.net) is download.windowsupdate.com, and windowsupdate.com is registered by

Registrant:
Microsoft Corporation
Domain Administrator
One Microsoft Way .
Redmond, WA 98052-6399
US