A friend of mine recently complained about the very bad performance of the Internet connection over her family's LAN. Apparently the Internet connection worked normal most of the time but certain websites (Facebook for example) performed very badly and sometimes didn't work at all. Additionally, there seemed to be a massive overall drop of performance every evening which rendered the Internet nearly unusable.
Curious about the cause of these problems I monitored the network traffic visible to my machine for a while and discovered some suspicious traffic. Every minute a Windows 7 host broadcasted 12 NetBios Name Service packets (one packet/second) apparently asking for an ancient Windows XP machine that gets connected to the LAN (and Internet…) evey now and then. The packets looked like this:
12:52:37.567533 IP (tos 0x0, ttl 128, id 17406, offset 0, flags [none], proto UDP (17), length 78) 192.168.0.2.netbios-ns > 192.168.0.255.netbios-ns: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0xBC60 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=HOSTNAME NameType=0x20 (Server) QuestionType=0x20 QuestionClass=0x1
I've read that the NBNS is used by some malware but the Kaspersky anti virus software of the host sending these packets wasn't able to find anything malicious. Sadly I wasn't able to monitor the traffic of the whole network yet, especially after the performance drop in the evening.
Could this behavior be caused by malware that looks for vulnerable hosts in the network to infect them and/or activates itself at a specified time in the evening to cause heavy Internet traffic? Do you now malware like this and how to identify it? Or am I just paranoid and this is perfectly normal behavior (as you can say from more experience in how normal network traffic looks like)?