I recently found that our corporate network bandwidth had skyrocketed overnight to upwards of 100 meg on the WAN connection. I tracked it down to one computer, which had four svchost.exe processes pegging each core, and network was around 3-6% of the gigabit connection nonstop. unplugging this from our network caused the cpu to go to 1% and networking to go to 0% on the computer, and normal range on the network.
the svchost file had probably 50 tcp connections to random ip addresses around the world, many in eastern europe and russia being most common.
i tried the folllowing tools, none of which flagged the svchost.exe file (which ended up being located in the windows\sysWOW64 folder, not system32 per normal)
i also used svchost viewer and process explorer (they didnt show up in svchost viewer)
i have saved a copy of the svchost file that caused this headache, and if you guys would like, i can attach it... i dont know if attaching the file would be a good idea so i will wait until further instructions.
While running a packet capture, i have concluded (the packets are confusing and possibly encrypted) but i think the goal of this infection was clicking ads for money?
My goal with this post is to possibly help in the development of tools to flag this infection.
Edited by timwrich, 07 March 2014 - 12:20 PM.