Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How easy is it to mask a trojan as a svchost.exe or similar?


  • Please log in to reply
6 replies to this topic

#1 Silver_fang

Silver_fang

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 11 November 2015 - 01:50 AM

Hello, i've been thinking a lot lately about this...

 

How easily is it for a hacker to name his .exe to etc svchost.exe? Could there be two svchost.exe in the same folder? Or could a hacker edit the svchost.exe to do what it's supposed to do but also add his malicious code additionaly and let it work for him?

 

Recently i got some svchost.exe popups from my firewall this time it was when i was viewing my private pictures and videoclips... So i found it weird.

Could someone help me out with this?

What services exactly are allowed to use svchost.exe and would it be easy for a hacker to delete and replace it with his own version of svchost.exe?

 

 

Thanks in advance.



BC AdBot (Login to Remove)

 


#2 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:06:25 AM

Posted 11 November 2015 - 02:37 AM

Hi,
Here are a few links which explain what is svchost and its purposes:

Okay, now to address few concerns:

How easily is it for a hacker to name his .exe to etc svchost.exe?

Just as he creates a new malicious file / executable. The skill lies in how the hacker/malware writer can hide that file from easy detection by user or his tools.
 

Could there be two svchost.exe in the same folder?

No, its a OS restriction to have only a single file with a given name or its slight modifications. (svchost.exe, SVCHOST.exe etc)
But the malware writer can do something tricky to human eyes like scvhost.exe, svchst.exe etc or create a fake folder similar to the original path.
 

could a hacker edit the svchost.exe to do what it's supposed to do but also add his malicious code additionaly and let it work for him?

Since a lot of Windows dlls and functions depends on svchost.exe for working, improper tampering can make target machine to behave unexpectedly, throwing errors. That will make user suspecious.
DLL injection or its variations can be an option.
 

Recently i got some svchost.exe popups from my firewall this time it was when i was viewing my private pictures and videoclips... So i found it weird.
Could someone help me out with this?

If you're suspecting an infection, please use the f_icon.png Am I infected? What do I do? or f_icon.png Virus, Trojan, Spyware, and Malware Removal Logs

 

 

 would it be easy for a hacker to delete and replace it with his own version of svchost.exe?

It may be possible, but there are better ways.


Edited by Nikhil_CV, 11 November 2015 - 02:47 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#3 Silver_fang

Silver_fang
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 11 November 2015 - 05:11 AM

Thank you for your reply!

Really appreciate it.

 

A question though, what could have caused the svchost to act like it did while i was using picture files or videofiles?

Let's say its not virus or any kind of it, what could have caused it?

Is the svchost sending out data without the user knowing it? to etc microsoft even if i have tried to disable all microsoft automatic data transmission?



#4 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:06:25 AM

Posted 11 November 2015 - 05:31 AM

 

what could have caused the svchost to act like it did while i was using picture files or videofiles?

Is the svchost sending out data without the user knowing it?

It depends on the image/video program as well as the threat status of your machine. Usually it shouldn't happen. Thats why I gave you the redirection.

Do you have exact message, probably a screen capture?

 

 

what could have caused it?

You can view the services hosted by svchost.exe by following the tutorial: http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/ (Tryout any method suitable for you)

 

 

microsoft even if i have tried to disable all microsoft automatic data transmission?

As said, a lot of services requires svchost (network, windows update etc). So turning off all will create problem as is the case of filtering svchost via firewall.


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#5 Silver_fang

Silver_fang
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 11 November 2015 - 05:43 AM

The firewall log says this ->

2015-11-11 11:38:44  C:\Windows\System32\svchost.exe  Blocked  In  UDP  70.173.250.211  26215  192.168.1.xxx 57150 

 

I will take a look at the services that use svchost...

when i do a whois ip lookup on the ip it says

"

Cox Communications Inc. NETBLK-COX-ATLANTA-10 (NET-70-160-0-0-1) 70.160.0.0 - 70.191.255.255
Cox Communications NETBLK-LV-RDC-70-173-128-0 (NET-70-173-128-0-1) 70.173.128.0 - 70.173.255.255
"

I have no idea what this is.

 

ADD:

I also found these;

2015-11-11 11:39:11  C:\Windows\System32\svchost.exe  Blocked  In  UDP  175.107.209.172  59412  192.168.1.xxx 57150  2015-11-11 11:39:49  C:\Windows\System32\svchost.exe  Blocked  In  UDP  94.173.149.175  59454  192.168.1.xxx 57150 

These however could have been triggered by utorrent when active, i'm not sure. But i'm pretty sure of it.


Edited by Silver_fang, 11 November 2015 - 05:48 AM.


#6 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:06:25 AM

Posted 11 November 2015 - 06:54 AM

Search for 175.107.209.172

 

Search for 94.173.149.175 http://whois.domaintools.com/94.173.149.175 (ISP)

 

Both are having destination ports as random no-registered port ie, ports greater than well known port range. So, its probably a remote session, a torrent URL or adservice server.


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#7 Silver_fang

Silver_fang
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 11 November 2015 - 06:05 PM

Search for 175.107.209.172

 

Search for 94.173.149.175 http://whois.domaintools.com/94.173.149.175 (ISP)

 

Both are having destination ports as random no-registered port ie, ports greater than well known port range. So, its probably a remote session, a torrent URL or adservice server.

 

 

As i said im quite sure about those two, but how about the first one that i'm suspicous about?


Edited by Silver_fang, 11 November 2015 - 06:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users