Log in

View Full Version : SVCHOST.EXE under seige.


5aLIVE
October 27th, 2008, 05:34
My PC is is running XP Home SP3 and recently I noticed that a copy SVCHOST.EXE used for DCOM and terminal services is being used to connect and disconnect to random websites and mail servers and Syn flooding them and incrementing through the network ports as it goes.

Once connected to particular sites it attempts to execute ActiveX, VB and Java scripts.

I ran ProcessExplorer to find the process ID of the offending generic host.
Once I did that, I confirmed that only the DCOM Launch and Termservices were using SVCHOST.

What I wanted to do was try and find a way to identify all the DLLs which were using this host. I tried
attaching to the host in OllyDbg and then viewing the executable modules to see if I could find the rogue DLL.
There didn't appear to be anything suspicious looking (to me) here.

I tried scanning my Windows folder NOD32 and SUPERAntispyware which couldn't find anything. I also ran the
BitDefender online scanner which identified the file C:\WINDOWS\system32\bnts32.dll as :

DeepScan:Generic.Clicker.Lobgal.FB7B9232.

Why didn't OllyDbg show this rogue DLL in it list of executable modules? Is it something I have overlooked or
do I need to use a different tool or technique?

A Google search revealed no information on this malware. I can attach a zipped and password protected copy of the malware if anyone is interested. I wonder if the infection had anything to do with the latest MS08-067 exploit. I've installed this patch too.

Deleting the supicious DLL file seems to have fixed the problem.

UPDATE: Since posting this, my firewall showed a process with no name try to open the closed telnet port. So it looks like I've got another nasty hiding away. Can anyone suggest how I can identify this hidden process?

Damn it! I'm also seeing an outgoing HTTPS connection to paypal.com via port 1414.


Thanks for reading.

esther
October 27th, 2008, 06:38
you might wanna try process explorer from sysinternals
gluck

Kayaker
October 27th, 2008, 16:02
Maybe iDefense SysAnalyzer might be useful?

http://labs.idefense.com/software/malcode.php

Darren
October 27th, 2008, 16:50
http://www.gmer.net/

useful little tool for finding hidden and cloaked stuff

dELTA
October 29th, 2008, 08:09
Once you're rooted like this, it can be extremely hard to detect all the hidden stuff that's going on. There are gazillion ways to hide stuff once you're in the system, and the malware guys are using rootkits that hide all the way from boot sector code now (google "Mebroot".

I would definitely never again trust a computer (or rather operating system intallation) that has been rooted/infected at some point, no matter how much stuff I would detect and successfully remove from it...

But sure, it could be an interesting reversing adventure to at least track down some of it, if you have the spare time for it.

In regards to hiding code in svchost, I have analyzed malware that performs the simple trick of loading a DLL, copying code into dynamically allocated memory, jumping to this code and finally unloading the DLL, making sure that it will never show up in any subsequent DLL enumeration. Look for threads that are executing code outside any known module code section in this particular case. But again, there are infinite amounts of other tricks.

evaluator
October 30th, 2008, 04:02
in one word, you need analyze your HDD from other system or PC..

donny
November 13th, 2008, 05:06
you can use RootKitUnHooker to see what process is hooked and on what address. it is recomanded that you stop your antivirus before running it.

you can also unhook process or force file to be deleted on reboot
Code:
http://www.uploadjockey.com/download/9666724/rootkit_unhooker_3.8.341.553.rar

5aLIVE
November 14th, 2008, 08:02
Thanks for all the replies, in the end resorted to Delta's advice and prepped a fresh install as I needed to ensure that my PC was clean as quickly as possible . I had a look at the rootkit unhooker (on my fresh install). It looks like a useful tool, most of the system hooks are used by my firewall which is normal.

I don't pretend to understand what all the different hooks types are at the moment although I will be sure to educate myself by reading the manual provided in the archive. Thanks Donny.

Out of interest, what anti spyware tools do you guys use and rate? I appreciate that no one tool can be expected to catch everything and that a few are best used to improve detection.

Thanks again.

dELTA
November 14th, 2008, 15:20
Quote:
[Originally Posted by 5aLIVE;77713]Out of interest, what anti spyware tools do you guys use and rate? I appreciate that no one tool can be expected to catch everything and that a few are best used to improve detection.

Don't run any executable from an untrusted source.
Personal firewall (Norton 2004, last version before major bloating)
Secunia PSI (very important one!)
Fortego All-Seeing Eye (nice to have a chance to know if something bad happens as a last resort)
Signature based antivirus/antispyware is really quite useless all in all, since detection rates are dropping to ridiculous numbers, and it only takes one non-detection and you're toast (as stated in my previous posts in this thread, uninfection can never be done in a trustworthy way).

Cthulhu
November 17th, 2008, 14:10
Hi 5aLive!
Do you still have a copy of this malware?