svchost.exe

Discussion in 'other firewalls' started by JimboW, Feb 23, 2011.

Thread Status:
Not open for further replies.
  1. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    To stream video and music to my PS3 I have to allow outgoing connections for svchost.exe.

    Problem is, i've encountered a lot of malware that likes to disguise itself as svchost. Is there any workarounds?
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When you make an outbound rule for svchost you will specify an IP address. Malware disguising itself as svchost and attempting to connect outbound will be flagged as shown here from an old Netsky exploit

    [​IMG]

    Three reasons the firewall will alert:

    1) Unauthorized IP address

    2) Wrong directory (.../temp)

    3) Unauthorized MD5 Hash

    The first will be stored in your filter rules as a custom address.

    The second two -- path/directory and MD5 binary -- are stored somewhere in your Firewall Configuration:

    [​IMG]


    ----
    rich
     
  3. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    Thanks Rich, this helps alot. At the moment i'm using Windows Firewall Control V2 where only programs I allow can access the internet. This means I allow svchost in the system32 folder. Will a disguised svchost always be in the temp folder or can it overwrite the real svchost? Is this a safe setup or should I choose a different firewall (HIPS). I guess if I wasn't streaming to the PS3 I wouldn't need to allow this file and it would be a non-issue. Thanks!
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No, I've seen one put in a startup location so that it would run each time the victim booted the computer.

    I did a test, copying a bogus svchost.exe to \system32, and my security blocked:

    svchost_copy1.gif

    Then I turned off my security and did the test again, and Windows prompts:

    svchost_copy2.gif

    So unless there is other trickery involved, I don't see the original file being overwritten w/o my permission. Besides, Windows file protection which monitors systems files would replace it with one from the dll cache, so this would be another hurdle for the malware to overcome.

    Also, current malware uses injection tricks to control processes, not just using bogus files. Just look at a Conficker analysis.

    I can't answer that question for you. Others more knowledgeable about firewalls/HIPS products will have to make recommendations.


    regards,

    -rich
     
Thread Status:
Not open for further replies.