worm variant infection

Discussion in 'malware problems & news' started by AcidHorse, Jun 10, 2004.

Thread Status:
Not open for further replies.
  1. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    I won't post any logs of any kind. However I will if asked. However I do know my stuff and they are clean. Even with the most recent updates for Ad-aware,SpybotS&D,Mcafee,Norton, I have found nothing.
    Yet something buried in the services is trying to connect to a nameserver which is not the 2 that my internet service provider gave to me to put in the primary and secondary locations in the connection properties.
    The problem is mainly with the 3 or 4 instances of svchost.exe, firewalls
    can't tell you what particular service module is wanting outbound access, that is which svchost instance and the enumerated service i.e. DNS Client.
    So basically I have a programming question.
    I have found code for enumerating the services and listing the modules associated with the services, however I am not sure if I can use that information at the moment the svchost instance tries to connect to this foreign nameserver. I am also looking at code for a TDI firewall and determining how to implement a method of detection of the process and the associated module.

    I believe it most likely isn't spyware or adware but a rogue variant of a worm.
    There is the possibility it has attached itself to the tail end of a DLL and set it up as an overlay or it could be a dll that has set up a hook api to catch any attempt to resolve any address and then use their; (or the one written in the bad code), DNS nameserver.
    So with what I have to say does anybody have any ideas?

    BTW I'm on XP Pro
     
  2. controler

    controler Guest

    Have you tried Bitguard firewall yet. It works at the Kernel level.
    I would think process Guard would stop it also.

    controler
     
  3. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    hmmm I don't know the details on Bitguard firewall yet but as for working at the kernel level wouldn't that be no different than a device driver TDI firewall?
    which I currently have and have the source code to it. As for Process Guard got it but as for its effectiveness it hasn't caught any info on this outbound svchost process, this may be because the TDI firewall I have installed in there is catching everything its even catching it before Zone Alarm. Which should give you a good idea how low level it is. But I may have too much in here already. So since the TDI firewall is catching it this is good, yet I need to know an effective coding strategy with say maybe enumerating the services determining the process ID the modules associated with the process and then log that info. Yet this would have to have the info on the module that was responsible for the suspicious activity.
     
    Last edited: Jun 11, 2004
  4. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    I just checked out the info on Bitguard firewall and its no different than what I got in here i.e. a TDI firewall. However I need to find a picture of what process information it displays.

    I also just checked tucows and they rate Bitguard a 4 star and Sygate and ZoneAlarm are 5 stars
     
    Last edited: Jun 11, 2004
  5. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    06/12/2004 01:42:16 216.68.4.10 53 10.141.92.82 3773 Outgoing Allowed C:\WINDOWS\system32\svchost.exe
    06/12/2004 01:42:16 216.68.4.10 53 10.141.92.82 3773 Incoming Allowed C:\WINDOWS\system32\svchost.exe
    06/12/2004 01:42:16 dns1.pixelgate.net [66.254.66.99] 53 10.141.92.82 3775 Outgoing Blocked C:\WINDOWS\system32\svchost.exe
    06/12/2004 01:42:21 dns1.pixelgate.net [66.254.66.99] 53 10.141.92.82 3775 Outgoing Blocked C:\WINDOWS\system32\svchost.exe

    This is what I got in Sygate firewall and the dns1.pixelgate.net is the unknown nameserver and it just says svchost but doesn't give a pid.
    I think it is monitoring DNS resolutions done by the authentic call and then
    makes its own call to send to its dns1.pixelgate.net
     
  6. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    I've disabled DHCP Client in the Services and it has stopped this activity all together, however I have no idea what it is. I have another installation of Windows XP and DHCP Client is active yet nothing like this happens, so maybe this is still just some crap left behind in the registry by some spyware or maybe a spyware dll itself or a worm.
     
  7. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{*}]
    ok everyone if you have made it to this registry location for your default interface I need you to check and see if you have a key in there for
    SentPriUpdateToIp
    this is what I had and it was a DWORD value of 6342fe42
    I'm not sure what SentPriUpdateToIp is for but I have searched the internet
    for it and nothing comes up. This is really bad.
    however I did a diskedit and found every occurrence of 42 FE 42 63
    and zeroed it out. Now those responsible will have to look else where for
    a freebie. These people are the lowest forms of life.
     
    Last edited: Jun 14, 2004
  8. controler

    controler Guest

    Hello Acid Horse

    Yes you are correct. Just like Bitguard your firewall has installed a hardware driver which you can see in your networking panel.
    However, There were some problems with Process Guard and Bitguard. Seemed if Bitguard was installed before Process Guard they fought.
    It is never a good idea to have more then one program operating in Kernel mode.
    causes instability. I am also guessing you have tried the trial of TDS-3?

    controler
     
  9. AcidHorse

    AcidHorse Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    7
    Yeah I've looked at it but from my stand point all that kind of stuff is unnecessary. I really need to find a Disk Search tool like DiskSearch Pro,
    a serious tool that forensic techs use. I want to find out what this key SentPriUpdateToIp is used for. Ad-aware and Spybot S&D need to really update their **** if you know what I mean.
    Yeah I've been searching the net for a diskeditor that can show the files associated to a currently viewed sector, But none do this, obviously because
    they are all crap.
     
    Last edited: Jun 15, 2004
Loading...
Thread Status:
Not open for further replies.