Why is svchost trying to connect to the web?

Discussion in 'other security issues & news' started by qwerty12345, Sep 25, 2011.

Thread Status:
Not open for further replies.
  1. qwerty12345

    qwerty12345 Registered Member

    Joined:
    Nov 2, 2010
    Posts:
    32
    Hello, can anyone help me out?

    I have svchost blocked from accessing the internet in my firewall.

    Frequently, when browsing the web, IE8 will lock up for 30 seconds to 1 minute. If I check the firewall logs, I see that svchost is trying to make a connection (that is being blocked). Process explorer mentions DNSAPI.dll in the thread stack.

    Why is svchost trying to make connections (when the DNS Client service is disabled) and how do I stop it (considering that the webpage continues to load perfectly well after svchost is blocked)?

    Thank you.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    "..
    dnsapi.dll is a module that contains functions used by the Windows DNS Client API
    .."
    maybe revise svchost rules (as in not block all access)
     
  3. qwerty12345

    qwerty12345 Registered Member

    Joined:
    Nov 2, 2010
    Posts:
    32
    Why? What is it doing?

    The start address for the TID shown in PE is ntdll.dll!RtlAllocateHeap (if that's relevant.)
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    svchost (service host) is a wrapper for services. Many different services can use an instance of svchost.exe.

    You can use command prompt and the command: tasklist /svc which will display the PID of each process running, and the services involved. For example, you can see dhcp listed in one. Note the PID, then look at task manager to see which specific svchost process it is. I don't know if you can check for process instances with a firewall, at least I don't think you can. But it does give you an idea of what is using svchost, and then you may realize some of those services using svchost are obviously going to want to use the network.

    Sul.
     
  5. qwerty12345

    qwerty12345 Registered Member

    Joined:
    Nov 2, 2010
    Posts:
    32
    Hello Sully, thank you for your reply.

    I understand all of that. Also, the firewall does give the PID and the TID (hence I was able to mention them), but unfortunately there is no such thing as a "Service ID" that would narrow it down instantaneously. I was hoping someone here would know what was happening.

    Unfortunately, the instance of svchost that is trying to make the connections, is the one that contains almost everything. (There is one svchost for DCOM, one for RPC and another which contains everything else).

    Well, obviously not. I've had all sorts of problems with svchost in the past, and since deciding to block it in various firewalls, that has really stopped it from causing trouble. With the exception of this minor, occasional irritation, internet usage has been much smoother and faster.

    Can no-one even guess which service would be trying to access the internet in conjunction with Internet Explorer (knowing that DNS Client is not running)?

    Thank you.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I could be wrong, but I think all the DNS Client does is cache lookups so that svchost doesn't have to repeatedly look up the same address if it's already in the cache from a previous lookup. If you disable the DNS Client service, the cache is gone, but svchost will still do the DNS lookups, every time in fact, instead of using cached data.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    @qwerty12345,
    Tasklist might show what you want to know as it lists the services under each PID:
    tasklist /svc

    One of the variants of the tasklist command shows what's in every PID of svchost. For example, I have a process number 1436 for svchost. This command shows all DLLs involved:
    tasklist /fi "PID eq 1436" /M

    SVCHOST.EXE described by Microsoft:
    http://support.microsoft.com/kb/314056
    This KB is for XP-Pro.

    Except for time, the only time svchost here is allowed on the internet by my firewall is Windows Update. DNS client is off. Windows Explorer not hunting for files all over the internet.
     
  8. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Where does the blocked log say that svchost.exe is trying to connect to? Checking the address might shed some light on it. I more than imagine that it is Akamaitechnologies, RSA-Security, Ocsp.digicert, Ocsp.entrust etc... I've found that in Win 7, WinUpdates has to have connection to some of these svchost checks or the only way I can get an update is disable the firewall or allow the connections. I think it also depends on how updates are set as to which svchost connections need allowed. On auto, the 65.52.0.0/14 is probably enough but download and let me choose or don't download but notify needs more than that.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    are you sure?
    In my firewall (Kerio and Subnbelt and Outpost) applications do DNS lookups. Svchost never does. Not a trace of it in TCPview or any other place.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    No, I am not sure at all, just trying to remember things to the best of my recollection... it's been a while now. It seems to me that if you block svchost in Kerio rules, then the apps themselves will do the DNS calls. But if you create a rule higher up allowing svchost on port 53 etc, then I think svchost will do them.

    Again, maybe I'm off on all this. That's how I remember it working.... Please excuse if I am wrong....

    Edit: If I had XP and Kerio, I could test it out for you and know for sure, but I'm on Win 7 with a router now.
     
    Last edited: Nov 14, 2011
  11. wat0114

    wat0114 Guest

    AFAIK, DNS service has to be disabled before applications will do the dns lookups. It's the most practicle way to do things anyway, especially if one doesn't want DNS service involved, and also because now the chance of the DNS service being exploited by malware is eliminated.
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Hi wat0114. You and act8192 are probably right. It's been 5 or 6 years since I ran Kerio and was familiar with all these details.
     
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    That's right.
    All depends on how you make your rules. Each application can have DNS rules or a global DNS rule for all in which case, I suppose svchost can do it or the applications.

    Also depends on where you put the global DNS rule. In Kerio or Sunbelt, for instance, if the DNS rule is after svchost blocks, then the apps have to do it. If above, then I suppose svchost will when it wants to.

    Hey, I've learned that from you, Herbalist, and few other experts here ages ago; time to dust off the old principles :)
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi wat0114,

    When I started using Kerio years ago, I played around with this -- it was talked a lot about then, and was a bit fun!

    But I grew bored of micro-managing things, and went back to the default way!


    Can you cite an example of how this could affect me?

    Thanks.

    ----
    rich
     
  15. wat0114

    wat0114 Guest

    Hah! I wish I could, but I don't want to Google for it :D It's something I've seen so often in this and some other forums, so I've taken it as gospel, maybe wrongly, but that's how I've taken it. The way I see it, every service one can disable is a little less of an attack surface for malware to exploit ;)
     
  16. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I'm guessing the service in question is more vulnerable to attack than say the application doing the lookup?
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, I'd definitely need to do that. Up until a few months ago, I would have been tempted to set up XP and check things out, but my motherboard on the desktop failed, leaving me with just the laptop now, with Win 7, and not much inclination to experiment. Those were the days anyway. Pretty fun stuff. :)
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's OK, I don't want to put you on the spot!

    I assume you are referring to the DNSchanger malware. It has been seen on many forums, but ususally the discussion focusses on what the malware does after it's installed, and the scenarios are scary indeed: infecting the MBR, hiding as a rootkit, then changing the DNS service, etc, etc.

    But looking closely, it's revealed that the malware is a trojan, and installs by the same tried and true methods:


    The full story of the DNSChanger Trojan
    http://www.cert-ist.com/eng/ressour...lesBulletins/VersVirusetAntivirus/DNSChanger/
    Nothing much has changed, even with DNSchanger being bundled with the TDSS trojan:

    TDSS Rootkit and DNSchanger: An Unholy Alliance
    November 14, 2011
    http://threatpost.com/en_us/blogs/tdss-rootkit-and-dnschanger-unholy-alliance-111411
    Indestructible TDSS botnet is spotted
    http://www.theinquirer.net/inquirer/news/2083193/indestructible-tdss-botnet-spotted
    In 2007, an exploit targeting the MAC OS was discovered, and a year later, it began to proliferate:

    DNS changer Trojan for Mac (!) in the wild
    Published: 2007-11-01
    http://isc.sans.org/diary.html?storyid=3595

    Readers can decide for themselves what precautions are necessary, according to one's system's needs.


    ----
    rich
     
  19. wat0114

    wat0114 Guest

    Rmus, you're right. I often lose sight of the fact that malware has to first install before it can carry out it's payload mechnisms, so disbaling a service or other system process is probably not necessary to avoid the attack vectors of a given malware, as long as one takes the basic necessary steps to stop it from gaining a foothold in the first place.
     
  20. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    Sounds like more UN-NEEDED things using resources for no reason huh??

    Like WMIEXE.EXE on my win98se here... That file is NOT NEEDED FOR PERSONAL SETUPS.... I would like to remove it as its using resources FOR NO REASON but i dont know how to COMPLETELY REMOVE IT.... (Just deleting the file would produce an error @ bootup i reckon telling me the file cant be found)

    I dont know what is calling this file,its not in my startup folder or anything (run services,etc)

    Not a big deal but it would be nice to be able to remove it.....


    I started wondering the other day what this file was as when i had task manager open,i accidently ended task on that file and everything was still working fine.... Then i looked up what that file was for,etc......
     
Loading...
Thread Status:
Not open for further replies.