identify illegitimate svchost processes ?

Hi,
the forum search and web search couldn't help me.

How do i identify illegitimate / hijacked svchost processes ?
Can a hijacked svchost show a legit name and be placed in the system32 folder ?

All i've learned is that:

- the svchost.exe and all the dlls have to be in the system32 folder
- network traffice should be limited

thank you,
gam

 

Maybe you could try this application.
http://svchostviewer.codeplex.com/

Process explorer or process hacker are good also.
Regards.

 

Thanks, i should've written that i use these great tools to check the svchosts.
But the question remains how to identify the bad svchosts / dlls.

 

Maybe, but highly unlikely. An exploit placing a rogue svchost process there would have to be running at elevated (administrator) privileges.

Use Process explorer run as administrator and check the paths they reside in and services they spawn, as well as Company name, etc...

If they reside in %System32% then they are practically 100% guaranteed legit.

 

Yep. Stuff like this is an excellent example of why it's a great idea on XP to create another Admin account, log into it, and disable the built in one first thing after a clean install of Windows. The secondary one you create doesn't have the same privileges.

OS's since have taken the guesswork out of the equation entirely with Standard Accounts as default... a great measure.

 

I don't think so. It,s common for modern malware to hijack legit svchost.exe by modifying it in the memory, by dll injection etc.

 

@luciddream: Sorry, but i don't entirely understand your post related to the topic. I'm using Win 7 64bit, and for sure LUAs are important but they are another big topic.

@aigle: That's what i'd say too and my main concern. Let's assume, some malware made it so far and hijacked a legit svchost. Is there any chance to detect the compromised svchost using e.g. process explorer ?

 

This is only by memory, but sometime ago I believe Sysinternals author showed some nice ways of finding malware using tools such as Process Explorer. I believe he also showed how to catch hijacked processes as well.

I don't recall the web page now, but now that you talk about it, I'd like to find it again and see it again as well. I'll see if I can find it (or maybe someone else remembers it).

 

I'm not about to argue this, but I am curious, how does this happen when the svchost process is running at System il? Unless the malicious process runs elevated, then it can't write to the svchost process.

 

I am not a malware expert to answer this but I have commonly seen malware injecting code into legit processes.

 

What I said related quite well to this topic, actually. I was citing how to make sure what you mentioned can never happen on a Windows OS, from XP through 8. What I said really can't get more relevant, in fact.

 

Don't get me wrong, no offense here. But afaik it's a matter of fact that the LUA is not sufficient anymore to protect against sophisticated malware anymore.
I'm far from being an expert, so probably i just misunderstood what you said.

 

So now what do you do? You have to start somewhere and put some faith in some sort of tool that unveils detailed information about the processes you are interested in. Supposing svchost can be hijacked as mentioned, can you not use Process Explorer as illustrated above to see its path and services spawned, and look for something that doesn't appear right?

 

That is the question. Is that all we can do or is there any way to make it easier to identify the bad ones.