java update installed a hook, and then some!

a recent java update, installed a hook, and modified several registries. This hook is now asking to attache itself to various files on my computer. D+ has alerted me to only a few instances thankfully!

another file named msctf.dll is associated with this hook, and asks seprately to attache itself to various files.

BOINC projects are asked to be hooked to these files, I have blocked this, as another pc i use for boinc has consistently been curropted, and BOINC projects targeted. Aids research, climate prediction. Seem to be the primary targets =c

comodo also crashed before this update took place.
the dmp dated 5/31/11 was because i powered down for cleaning and i have no cmos battery, and i set the date wrong. it was early 5/25/11 i believe

[attachment deleted by admin]

I feel your pain!

I had constant problems on my old PC when I had Java installed. I had viruses in it’s cache. Then like you, I had a misdirected update that installed Hacktool rootkit. Then the fun really started.

My current AV at the time was piece of garbage Symantec Endpoint 11. It was able to get rid of most of the rootkit when I did a full scan in safe mode on a WIN XP Pro SP3 install.

After that experience, I made it a point to never ever install Java on any OS installation.

Best advice I can give is start looking for some good free rootkit scanners. Sophos has a good one you can download. Don’t know if it works on all vers. of Vista or WIN 7. Kapersky has a TDDS rootkit cleanner you can try although it has been known to trash a few installations.

What java? The JRE or the SDK?

client or jre, I’m not noobishly codeing on this pc… so just this. And yea, java is a pain. but all great things eventually become targeted or exploited… atleast once. How are you getting by with no java on anything? java is everything or can be?

I have both installed (including Derby). >:-D

Here are my JRE D+ rules (notice there’s only one thing allowed to run the JRE Updater):

Java Runtime Environment components

JRE Update checkers:
%PROGRAMFILES%\Common Files\Java\Java Update\jaucheck.exe
%PROGRAMFILES%\Common Files\Java\Java Update\jucheck.exe
%PROGRAMFILES%\Common Files\Java\Java Update\jusched.exe

JRE Updater:
C:\Documents and Settings[user]\Local Settings\Temp\jre-6u??-windows-i586-iftw-rv.exe

JRE components
%PROGRAMFILES%\Java\jre6\bin\jqs.exe
%PROGRAMFILES%\Java\jre6\bin\java.exe
%PROGRAMFILES%\Java\jre6\bin\javacpl.exe
%PROGRAMFILES%\Java\jre6\bin\javaw.exe
%PROGRAMFILES%\Java\jre6\bin\javaws.exe
%PROGRAMFILES%\Java\jre6\bin\deploy.jar

Permissions

jucheck:

registry
HKLM\SYSTEM\ControlSet???\Services*

files
\Device\Afd\Endpoint

allow DNS client service

jaucheck:

execute
%PROGRAMFILES%\Java\jre6\bin\java.exe
%PROGRAMFILES%\Java\jre6\bin\javacpl.exe
C:\Documents and Settings\puser]\Local Settings\Temp\jre-6u??-windows-i586-iftw-rv.exe

registry
HKLM\SYSTEM\ControlSet???\Services*

files
\Device\Afd\Endpoint

jusched:

execute
%PROGRAMFILES%\Common Files\Java\Java Update\jaucheck.exe
%PROGRAMFILES%\Common Files\Java\Java Update\jucheck.exe
%PROGRAMFILES%\Java\jre6\bin\java.exe
%PROGRAMFILES%\Java\jre6\bin\javaws.exe

registry
HKLM\SYSTEM\ControlSet???\Services*

files
\Device\Afd\Endpoint

allow DNS client service

jqs.exe

registry
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\JavaQuickStarterService
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\JavaQuickStarterService\EventMessageFile
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\JavaQuickStarterService\TypesSupported

files
\Device\Afd\Endpoint

java.exe

messages
C:\Program Files\Internet Explorer\IEXPLORE.EXE

registry
HKLM\SYSTEM\ControlSet???\Services*

files
\Device\Afd\Endpoint

allow DNS client service
allow keyboard

javacpl.exe

execute
%JAVA%\bin\javaw.exe

javaw.exe

execute
%JAVA%\bin\jqs.exe

registry
HKLM\SYSTEM\ControlSet???\Services*
HKUS\S-1-5-21-1355546302-2387749449-1072945706-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu

files
\Device\Afd\Endpoint

javaws.exe

execute
%JAVA%\bin\javaw.exe
%JAVA%\bin\javaws.exe

\Device\Afd\Endpoint

deploy.jar
%JAVA%\bin\javaw.exe

registry
HKLM\SYSTEM\ControlSet???\Services\JavaQuickStarterService

files
\Device\Afd\Endpoint
X:\JRE_temp_IE\6.0??\various\various .dll

====================

The JRE updater image has a very specfc name, it and only it is executed by one app.

SVCHost is not a Windows System Application. I posted on how to set that up a while back. You have to configure D+ for SVCHost before pulling it out of that file group. This way SVCHost can not be invoked to arbitrarily run executables out of the temp folders.

Finally, I have Content_IE blocked for all executables and archive files. That prevents drive by downloads.

The firewall rules for JRE update checkers, JRE Updaters and JRE components is a totally seperate topic. Essentially you only allow internet access for the JRE update checkers to those ip addresses you know to be legit for Java, and Java access for the components is granted on case by case basis (as needed, e.g., during browsing).

svchost, is originally a windows system process. It is windows way of handling network devices. And there will be one for each device.

If you only have one lan or wifi device, and it doesnt have it’s own controller or device driver that bypasses wndows. You will have atleast one svchost.

When more then one pops up at start up despite this, try closeing one. The one that is needed, will cause the system to reboot or explorer to reset. The one that is not, will do nothing, And is most likely a remote connection of sorts. As windows detects that as a network device, and assigns it a host file.

Regardless, isolateing it the way you have suggested should protect it…

i’m gonna re-install java and flash, and attempt to use the D+ pop-ups to configure limitations…

Is this list of things a copy paste? Or will i have to find where it is on my system specifically? I haven’t changed system folders etc…yet.

F:\Documents\Process_Tool.cmd>Tasklist /FI “IMAGENAME eq svchost.exe” /svc

Image Name PID Services
=============== =================================
svchost.exe 628 DcomLaunch
svchost.exe 688 RpcSs
svchost.exe 768 AudioSrv, BITS, CryptSvc, EventSystem,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, ShellHWDetection, Themes,
winmgmt, wuauserv
svchost.exe 896 Dhcp, Dnscache
svchost.exe 1144 Wecsvc
svchost.exe 1544 TermService
svchost.exe 1912 TapiSrv

F:\Documents>pause
Press any key to continue . . .

I ain’t messing w/that. You do what you want, but looks like all important stuff to me. As far as hardening it, I went through a lot of grief getting it to run on its own legs. If you just pull it out of the stock CIS file-group, you’ll be barraged with a deluge of alerts. Plus your system will hang, and require improper shutdowns, etc. Eventually you work through it, but its not for the quail hearted. I did all the leg work; you want to create the SVCHost D+ rules BEFORE you pull it out of the stock CIS file-group. After that the alerts are few and far in-between and quite manageable.

%PROGRAMFILES% is an environmental var (start, run, cmd, set), or My Computer, right-click, properties, advanced, environmental variables. Dunno if that’s standard or if I made it.

‘Java Runtime Environment components’ listed are file groups. The absolute pathnames for files listed in filegroups can be edited. So as long as the environmental var exists, you can cut and paste. Or just navigate to the file and select it. No big deal. I like environmental vars (I replaced C\Windows with %windir% throughout CIS, and use %SystemRoot32% instead of C:\Windows\System32.

As far as:

C:\Documents and Settings[user]\Local Settings\Temp\jre-6u??-windows-i586-iftw-rv.exe

Replace [user] w/your user name. As far as the *.exe, I’m unclear if that’s going to be valid for the next update (notice the ‘?’ wildcards). JAUCHECK executes the actual update after its been downloaded. Also, the firewall will need permission for that thing to phone home (as do all the JRE components). But that’s a totally different striped horse. The reason there’s a file-group w/all three JRE Update checkers in it: they share the same IP address to phone home. You won’t know what they actually are until you see the same IP address in all three JRE component firewall rules.

JUSCHED & JUCHECK are pretty benign, but JAUCHECK gets pretty hairy (I have 17 zones ea. w/multiple IP & several entire subnet ranges having 255.255.255.0 mask; that’s 255 IP for just ONE entry). However, ALL of the IP’s he hits are solid edge caching domains, or non-transferable IP assigned to internet backbone service providers.

As far as:

X:\JRE_temp_IE\6.0??\various\various .dll (there’s a bunch - I didn’t list 'em - they’re specific to my web-surfing habits)

X:\JRE_temp depends on where you put the JRE temp folder (in the Java config tool). Those DLL are specific to the JRE applets utilized by various web-sites. BTW, when you do install JRE, make sure you disable JQS - Java Quick Start - as that always gets enabled. It peev of mine and detest services running that have skeptical putative purpose. Rules for it do exist in D+, and that’s because I don’t want to be pestered with alerts that’ll just annoy me.

Watch out for the registry entries that make reference to HKUS (Hkey Users). You want to make sure the GUID implemented is specific for your installation. Other than that. Yep. Pretty much cut and paste.

right, I made my statement from knowledge i had of xp and previous versions.

When i look at my installation of win7, there are over 11 svchost.exe’s =c

rasman, and rdp should not be given access, unless you are actively using them. If you don’t use netmeeting or teamviewer etc. gotomypc… these items should not be listed in running processes and memory paths. But there they are, it appears microsoft configured it this way, regardless of what pc it’s on. Or what your doing with that pc. However these are known to be exploited. So i disable them when ever possible. Not an easy process, as microsoft put in stuff to prevent it from being removed. It’s unauthorized use of my pc and i dont want it there. :P0l If i have to keep it so windows runs, i want it protected, and telling me something wants to use it.