identify illegitimate svchost processes ?

Discussion in 'other security issues & news' started by gambla, Feb 16, 2013.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Hi,
    the forum search and web search couldn't help me.

    How do i identify illegitimate / hijacked svchost processes ?
    Can a hijacked svchost show a legit name and be placed in the system32 folder ?

    All i've learned is that:

    - the svchost.exe and all the dlls have to be in the system32 folder
    - network traffice should be limited

    thank you,
    gam
     
  2. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
  3. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Thanks, i should've written that i use these great tools to check the svchosts.
    But the question remains how to identify the bad svchosts / dlls.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Maybe, but highly unlikely. An exploit placing a rogue svchost process there would have to be running at elevated (administrator) privileges.

    Use Process explorer run as administrator and check the paths they reside in and services they spawn, as well as Company name, etc...

    If they reside in %System32% then they are practically 100% guaranteed legit.
     

    Attached Files:

  5. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Yep. Stuff like this is an excellent example of why it's a great idea on XP to create another Admin account, log into it, and disable the built in one first thing after a clean install of Windows. The secondary one you create doesn't have the same privileges.

    OS's since have taken the guesswork out of the equation entirely with Standard Accounts as default... a great measure.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don't think so. It,s common for modern malware to hijack legit svchost.exe by modifying it in the memory, by dll injection etc.
     
    Last edited: Feb 17, 2013
  7. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    @luciddream: Sorry, but i don't entirely understand your post related to the topic. I'm using Win 7 64bit, and for sure LUAs are important but they are another big topic.

    @aigle: That's what i'd say too and my main concern. Let's assume, some malware made it so far and hijacked a legit svchost. Is there any chance to detect the compromised svchost using e.g. process explorer ?
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is only by memory, but sometime ago I believe Sysinternals author showed some nice ways of finding malware using tools such as Process Explorer. I believe he also showed how to catch hijacked processes as well.

    I don't recall the web page now, but now that you talk about it, I'd like to find it again and see it again as well. I'll see if I can find it (or maybe someone else remembers it).
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I'm not about to argue this, but I am curious, how does this happen when the svchost process is running at System il? Unless the malicious process runs elevated, then it can't write to the svchost process.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am not a malware expert to answer this but I have commonly seen malware injecting code into legit processes.
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    What I said related quite well to this topic, actually. I was citing how to make sure what you mentioned can never happen on a Windows OS, from XP through 8. What I said really can't get more relevant, in fact.
     
  12. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Don't get me wrong, no offense here. But afaik it's a matter of fact that the LUA is not sufficient anymore to protect against sophisticated malware anymore.
    I'm far from being an expert, so probably i just misunderstood what you said.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    So now what do you do? You have to start somewhere and put some faith in some sort of tool that unveils detailed information about the processes you are interested in. Supposing svchost can be hijacked as mentioned, can you not use Process Explorer as illustrated above to see its path and services spawned, and look for something that doesn't appear right?
     
  14. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    That is the question. Is that all we can do or is there any way to make it easier to identify the bad ones.
     
Loading...
Thread Status:
Not open for further replies.