Svchost.exe and email exploit troubles... [Closed]

[Guest]

[Gaming4JC]

Hello Again,
I'm pretty sure I got the rules set correctly now. Here's what they look like, let me know if I misytpoed something since I got a little confused some where in the middle.
Rules:

Port Sets:

Funny it came out of Las Vegas, maybe they are gambling the money? lol... 

About avast, sorry I thought I mentioned. I have uninstalled AVG and installed avast now. That's what caught those 2 win32 things I mentioned in a previous post. Here's an updated log file if you need it: http://rapidshare.com/files/116639038/hijackthis.log.html
You can also notice svchost is running on this log. It's only on port 53 and pointing at my ISP atm (at the moment)...

Lastly, I have IRC and Instant Messengers via Pidgin if you wanted to live chat. It might make this a little easier and quicker if we were both on at the same time. If you want just PM me.

*Update* I see you just posted. Doing that on Defense+ now.

[grue155]

Now that you remind me about avast and avg, I remember your earlier posting. Sorry about my mixup on that.

Your Global Rules are almost correct. A couple of entries need to be rephrased, the rule order shuffled around a little, and one rule can be deleted. And I'll try to match the wording that CFP uses to maybe minimize any confusion (which is what happens when I work with several different systems and products, each with a different syntax and terminology)

So the revised rules

1.  block TCP in/out   from IP Any   to IP Any  where sourceport is any  and destport is 25

(the DNS rules)

2. allow       TCP/UDP  out from IP Any   to In[DNS servers]   where sourceport is any and destport is 53
3. block&log TCP/UDP  out from IP Any   to IP Any               where sourceport is any and desport is 53

4. allow       TCP/UDP in   from In[DNS servers]   to IP Any   where sourceport is 53 and destport is any
5. block&log TCP/UDP in   from IP Any              to IP Any     where sourceport is 53 and destport is any

6. allow ICMP in   from In[DNS servers]  to IP Any where ICMP message is any

(the web rules - this absorbs one old rule about port 443)

7. allow       TCP out from IP Any  to In[legit sites] where sourceport is any and destport In[HTTP Ports]
8. block&log TCP out from IP Any  to IP Any          where sourceport is any and destport In[HTTP Ports]


Sorry for the crazy spacing, I'm trying to get things to line up, so it's easier to see what the rules are doing.

In your HTTP Ports set, make sure you have only port 80 and port 443 in the set. You don't want port 8080 in that set, per my PM.

[Gaming4JC]

Very interesting on the last PM you sent about a proxy. I have on only one occasion used that proxy via FoxyProxy plugin for Firefox in order to test it. However, this plugin has been turned off for over a month.
  As for the Rules I think I fixed them all now:
http://xs227.xs.to/xs227/08214/new_global_rules356.jpg

[grue155]

The rules look good. Malware being what it is, it'll try to find a way around the blocks. The CFP logs will help some in identifying where some of the C&C hosts are, and I'm sure there will be a lot of them. I've heard reports of rotating lists of a hundred or more, which is why blocking just one at a time doesn't work.

If you're able to get out on the web more or less normally, then we're getting to the point of being able to do some cleanup. If you want to get a jump on things, eyeball the sticky topic at the top of this forum page titled "Free Spyware/Malware Cleaning". If you follow the links, it will set up you up with a chat session on liveperson.net with a tech (not me, but someone else) who gets to do the heavy lifting. If you can't get the session to work, then I'll work with you to get things back to a working state. You'll need to add liverperson.net and its various hosts to the CFP zone "legit sites".

Since I'm coming up on the end of my day, we'll have to pick this up tomorrow, probably after 1800 GMT. If you're game, you can try the chat service in the sticky topic just to see what works and what doesn't.

[Gaming4JC]

Ok, it's getting close to the end of my day too. I'll try and use that live chat thing though. And thanks for all the help you've been so far. 

[Gaming4JC]

ooookkkk... well I talked to a guy on the live support and he told me I already did more than he would have told me to do and that I need to reformat my Hard Drive. After I told him I'd like to catch this thing to send to Comodo labs and fix it he told me I should email support[at]comod.com providing lots of information, and I did so only to find out I needed to register and they rejected my first email. I will try and register tonight and "re-write" the whole email... 

On other information perhaps you can check my Global Rules in my post above? Something seems to be blocking me so I have for a short time disabled the firewall to reach this site (unsafe I know).

[grue155]

Got your PM, and did a quick read over it. Kind of disappointing, as there is a bunch more stuff that can be done. I follow several of the malware cleanup forums (castlecops.com is one), and I've seen some fantastic cleanups done. At worst, I may have to refer you off to one of those if we get past my skills.

Unless you've changed the Global Rules from your post yesterday, your rules are good. It could be that the malware is trying to block you. Check your hosts file (c:\windows\system32\drivers\etc\hosts) to see if there is any override addressing in place. Most folks have this as an empty file. Some security programs will populate it, and often malware will also to block security downloads. The flush your dns lookup cache with a command line "ipconfig /flushdns" (there's also a /displaydns, if your want to see what's in the cache. Use /? to see all ipconfig options).

Don't know if this is relevant, but check for typos too. Your post had comod.com, rather than comodo.com.

It might be a good idea to run Wireshark, and just watch traffic. It could be that something has gotten into the stack, and is redirecting all traffic thru a proxy (again? or not). If the addresses are all the same, then there's something funny going on.

You said that you're on a dialup line. An internal modem or an external? There might be some cheap hardware that could be useful to have on hand (like an old USR8001 router that will work with an external serial modem).
Or, do you have another PC available or borrowable?

[Gaming4JC]

Hello Again,
Here's my host file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

I can borrow a PC if needed. I've checked for mistypos, everything seems fine. I flushed dns and checked it out before I did via display. g2g soon because of the late hour here... :/

Edit: Wow, after the flush the firewall is working online again. This spyware is elite stuff, I hope some one can really catch it. o_O

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Luke>ipconfig /displaydns

Windows IP Configuration

         z0.extreme-dm.com
         ----------------------------------------
         Record Name . . . . . : z0.extreme-dm.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 2012
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 213.244.183.204


         Record Name . . . . . : z0.extreme-dm.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 2012
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 213.244.183.210


         z8.invisionfree.com
         ----------------------------------------
         Record Name . . . . . : z8.invisionfree.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 81632
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 209.85.48.7


         img1.imageshack.us
         ----------------------------------------
         Record Name . . . . . : img1.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 72
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 38.99.77.74


         ns7.imageshack.us
         ----------------------------------------
         Record Name . . . . . : ns7.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 1173
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 38.99.76.229


         1.0.0.127.in-addr.arpa
         ----------------------------------------
         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 599513
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : localhost


         mycroft.mozdev.org
         ----------------------------------------
         Record Name . . . . . : mycroft.mozdev.org
         Record Type . . . . . : 1
         Time To Live  . . . . : 2891
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 140.211.166.81


         ns.imageshack.us
         ----------------------------------------
         Record Name . . . . . : ns.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 1173
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 38.99.77.75


         img299.imageshack.us
         ----------------------------------------
         Record Name . . . . . : img299.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 39
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 38.99.76.241


         Record Name . . . . . : ns.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 39
         Data Length . . . . . : 4
         Section . . . . . . . : Additional
         A (Host) Record . . . : 38.99.77.75


         Record Name . . . . . : ns2.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 39
         Data Length . . . . . : 4
         Section . . . . . . . : Additional
         A (Host) Record . . . : 38.99.77.75


         Record Name . . . . . : ns3.imageshack.us
         Record Type . . . . . : 1
         Time To Live  . . . . : 39
         Data Length . . . . . : 4
         Section . . . . . . . : Additional
         A (Host) Record . . . : 38.101.111.42



C:\Documents and Settings\Luke>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

Edit Again, that's the flush. 1.0.0.127 stands out to me as unusual...

Last Edit: I'm off for the night. More tommrow, and maybe I'll check around some other places if needed.

[grue155]

An empty host file, like the one you have, is good. I don't know if CFP considers the host file as a protected file or not. It should be.

Good that the dns cache flush helped. The 1.0.0.127.in-addr.arpa is a valid entry. It's the reverse lookup entry for 127.0.0.1, and says it belongs to localhost. The in-addr.arpa domain is number-to-name reverse lookup. If you want to know what name is associated with IP address 1.2.3.4, you query the pseudo name 4.3.2.1.in-addr.arpa for a PTR (pointer) record, and the answer you get back is the host name.

I'm past my day here. I'll be back 1800 GMT, thereabouts.

[Gaming4JC]

Very interesting, once again my internet has stopped working. This time it freezes up Comodo.
Interestingly the paranoid mode may have paid off, something called rasautou.exe was trying to execute rasautou.exe.
Upon denying this request I was promptly diconnected from the internet. I attempted to re-dial only to find "Port Closed" and "No Dial-Tone" errors. I restarted my computer and was able to get back online, I also found out rasautou.exe is Remote Acess Dialer from Microsoft, I believe it is exploited or being used by my attacking spam zombie.   

I am researching Spam Zombies to see if I can find any information on how to stop this one in it's track and report the infected file(s) for Comodo Labs... so far no luck on them returning my email either. 

Edit: After a substantial amount of time googling, I found this:
http://www.cyber-ta.org/pubs/StormWorm/

I think I have a varient of this thing. Check the Analysis PDF, it's pretty indepth and sounds oh so close...
As of yet the BotHunter seems to only work on Linux though. I'll see if I can't get any more information.

[grue155]

"Storm" is what I've been expecting to find. Storm itself is relatively old (last year or so). The newer variants are considerably more difficult.

Three things I want to look into.

First up, I want to tighten up the CFP rules, and try to block svchost from doing the malware's network business. But to do that, I need to get the details on what your CFP configuration. The easiest way to do that, is to run the Config Reporting Script (stocky topic at the top of the v3 Help forum), save the resulting txt report, and post it here.

Then, to do a baseline cleaning of your machine, using the Microsoft "Malicious Software Removal Tool". It's available for download at http://support.microsoft.com/kb/890830. This will remove some variants of Storm, but probably not the newer ones.

After that, do a virus scan with your installed Avast. Make note of any report, and post that report here. If there are pathnames in the report, try uploading each reported file to http://www.virustotal.com/ . If virustotal can identify the malware, then we can do a goggle for tools.

For a second scan, do an on-line scan from www.kaspersky.com. On a dialup line, this may be a problem, as its about a 25 meg download, and the scan itself can take an hour or two. The "free virus scan" is in the upper right corner on the kaspersky web page. It uses ActiveX, and so has to be accessed with Internet Explorer, rather than some other browser.

That you're now having connection problems tells me there is still a command channel in place, probably going thru svchost, and not using port 80. We're going to need to bottle svchost up so things can be stable.

[Gaming4JC]

Ok, first up I am downloading Windows Defender (hope this is good). I have ran the Malicious Software Removal Tool in the past and it never caught anything.

I've scanned several times with Avast, it claims I'm clean. About the Comodo Script I ran it but it simply gave loads of erros. Line 2622 Char 2 RPC server unavaliable. Then Error 462: Remote server machine does not exist or is unavailable.

I also had Kaspersky from AOL security for the time they had it free. It never caught much. I may try the online scan though when I have the time.

Mean time this Remote Access Dialer is being used to kick me from the internet:


It comes and goes at random. O_o

[grue155]

Weird. The Config Reporting Script doesn't make use of an RPC server. It just reads the Windows registry, and translates into something readable. Something is messing with it to generate those kinds of errors. That's not encouraging.

The MSRT got updated about 6 months ago to detect and remove Storm and many of it's variants. With some notable success, according to reports I've heard. I'm not really expecting anything on detection, but on cleaning. If it can clean even some of the malware modular components, that's a good thing. I don't know if Defender has the same capability. Defender won't hurt, and may help.

The full blown Kaspersky package, which AOL had, isn't exactly the same as the on-line scanner. All the various antivirus packages look for slightly different things. So what one misses, another may catch, or at least give a hint about. At this stage, hints are a good thing.

I'm getting the sense that the malware is getting into its defensive mode. That means that it's calling home somehow, getting past CFP, and receiving updates to make things difficult. As I get time today, I'll work up some CFP rules to try to lock the network traffic down further.

[grue155]

Here's a quick thought. Find all instances of rasauto* files on your machine, and upload each to virustotal. The machine I'm using has only three files, one exe and one dll in \windows\system32\, and one dll in \windows\servicepackfiles\i386\. You may have more, and/or the system files may be infected. If virustotal says infected, then the infection name is a google search query.

[grue155]

It's been remarkably busy here for a Friday... I did get a chance to work up some rules to lock down svchost.exe a bit more. So, here goes.

In the Application Rules, click on the line for svchost.exe to highlight it, and then move it to the very top first rule. No chance for a rule override there.

It probably has only one rule in place, to allow outbound traffic. What follows will replace that rule. So things can be undone later, the existing rule(s) will be kept, but nothing will be executed. It'll take advantage of the rule ordering.

The new rules to insert (and I'll watch the spacing this time)

1. allow IP Out from IP Any to IP In[12.183.0.0/255.255.0.0] where protocol is any
2. allow IP Out from IP Any to IP In[224.0.0.0/240.0.0.0] where proto is any
3. allow IP Out from IP Any to IP In[127.0.0.0/255.0.0.0] where proto is any
4. allow IP Out from IP Any to IP In[65.52.0.0/255.240.0.0] where proto is any
5. allow IP Out from IP Any to IP 255.255.255.255 where proto is any
6. block&log  IP Out from IP Any to IP Any where proto is any
7+  (these are the existing rules which will never be used - see rule 6)

What this will do, is to limit svchost.exe to talking only to your ISP address space (12.183.0.0), localhost (127.0.0.0), any routing and boot special addresses (224.0.0.0 and 255.255.255.255), and Microsoft auto updates (65.52.0.0).

Anything else will get blocked by that rule 6. That should make it very very hard for malware to get out.

Then, change the setting in Firewall -> Advanced / Firewall Behavior Settings to be "Custom Policy Mode"

As the malware tries to get out, you'll probably get a lot of alerts.

If need be, a default application rule can be put in to block anything that doesn't have explicit rules. I haven't worked that up yet, and it may not be needed. It depends on what kind of alerts you get, and what the alerts can tell you about where the malware is coming from in pathnames.

Edit: Added the rule needed for Windows auto update to work.

[Tags:]