How It Took Me Two and A Half Years To Find A Backdoor

Discussion in 'malware problems & news' started by itman, Dec 28, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Please bear with me on this posting since the time period involved spans two and a half years. I will try to be as brief as possible.

    Way back in May, 2013, I posted this topic: https://www.wilderssecurity.com/threads/is-there-a-hidden-backdoor-in-jmicron-chipset-drivers.347184/. In summary, I had downloaded a JMicro IDE driver update that supported the chipset on my motherboard. Shortly thereafter, I observed stange outbound connections. What I didn't state in this link is that using Norton IS at the time and it had blocked an outbound FTP connection, TCP port 21, from searchprotocolhost.exe.

    I subsequently uninstalled the downloaded JMicron IDE driver and reverted back to the WIN 7 default driver which was by the way also a JMicron driver. Thought that resolved the issue. In the next couple of years, Norton expired and I started using Emsisoft EAM and the WIN 7 firewall. So, I was not monitoring outbound connections. PC during this time was never quite right however. Win Explorer would crash frequently and never could figure out why, etc.. Earlier this current year, I installed Eset Smart Security and started monitoring outbound connections using its firewall.

    Starting last summer, IE 10 starting acting up quite a bit. One pronounced event was frequent memory violations usually in mshtml.exe that crashed IE. I even had a malware expert at Emsisoft check out my PC and it was deemed "clean" with no issues. Problem persisted with IE crashes. I did trace part of the issue back to the webcachexx.dat files IE uses. Clearing those would stop the IE crashes for a while but the problem would reappear.

    I decided to update to IE 11 thinking that would resolve the issue. Shortly after the install, Eset's firewall detected the same outbound TCP port 21 connection to IP address, 211.75.121.162, as had happend way back in 2013. That IP address is not a public web address and is associated with Taiwan (HiNet) Chunghwa Telecom Co., Ltd.; HiNet Chunghwa Telecom Co., Ltd.. In the past it has been associated with JMicron driver downloads. I have not seen any recent relationships with that IP address to Jmicron. I blocked the port 21 connection using Eset's firewall and made a mental note of it.

    After the IE 11 install, all was well for a while. However, same issues arose again. Fed up, I decided to set IE 11 back to default setings. Shortly thereafter, again another outbound connection to IP address, 211.75.121.162; TCP port 21. So it became quite evident that some backdoor activity was going on here and it was affecting my browser settings.

    After a bit of research, I noted that searchprotocolhost.exe is part of the Window Search feature. I uninstalled Windows Search and right away could see how a backdoor could reside there since this software resides deep in the OS and the uninstall required a reboot with a noticable time lag as occurs after a Win Update. I then cleared out my webcache again and reinstalled Windows Search. Haven't had an issue since.

    Reflecting on all this, Win Search is an ideal place for a backdoor to reside since it has complete access to your installation hard drive. This backdoor appears to be spyware or sophisticated adware that only affects your browser. It is also completely undectable aside from its FTP connection after a browser change.

    Moral of this story is if you even suspect a backdoor has been installed, time to reformat and reinstall your OS.
     
  2. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    Do you still have a copy of the driver? If so, can you check the certificate chain?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Interesting. Looking through my download history, I have two zip files from the period in question.

    The first is a plain zip file downloaded in Feb., 2013. I believe that one is the from the JMicron ftp site.

    The second is a 7-zip file that I believe I downloaded from the Gigabyte web site since it has a Setup utility associated with it.

    I can send both to you. Just PM me your e-mail address.

    -EDIT-

    I just checked the sigs in the security catalog for all the downloads. They all look legit and paths look OK. Certs are all valid and are Microsoft's.
     
    Last edited: Dec 28, 2015
Loading...