Svchost.exe and email exploit troubles... [Closed]

ooookkkk… well I talked to a guy on the live support and he told me I already did more than he would have told me to do and that I need to reformat my Hard Drive. After I told him I’d like to catch this thing to send to Comodo labs and fix it he told me I should email support@comod.com providing lots of information, and I did so only to find out I needed to register and they rejected my first email. I will try and register tonight and “re-write” the whole email… (:SAD)

On other information perhaps you can check my Global Rules in my post above? Something seems to be blocking me so I have for a short time disabled the firewall to reach this site (unsafe I know).

Got your PM, and did a quick read over it. Kind of disappointing, as there is a bunch more stuff that can be done. I follow several of the malware cleanup forums (castlecops.com is one), and I’ve seen some fantastic cleanups done. At worst, I may have to refer you off to one of those if we get past my skills.

Unless you’ve changed the Global Rules from your post yesterday, your rules are good. It could be that the malware is trying to block you. Check your hosts file (c:\windows\system32\drivers\etc\hosts) to see if there is any override addressing in place. Most folks have this as an empty file. Some security programs will populate it, and often malware will also to block security downloads. The flush your dns lookup cache with a command line “ipconfig /flushdns” (there’s also a /displaydns, if your want to see what’s in the cache. Use /? to see all ipconfig options).

Don’t know if this is relevant, but check for typos too. Your post had comod.com, rather than comodo.com.

It might be a good idea to run Wireshark, and just watch traffic. It could be that something has gotten into the stack, and is redirecting all traffic thru a proxy (again? or not). If the addresses are all the same, then there’s something funny going on.

You said that you’re on a dialup line. An internal modem or an external? There might be some cheap hardware that could be useful to have on hand (like an old USR8001 router that will work with an external serial modem).
Or, do you have another PC available or borrowable?

Hello Again,
Here’s my host file:

# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

I can borrow a PC if needed. I’ve checked for mistypos, everything seems fine. I flushed dns and checked it out before I did via display. g2g soon because of the late hour here…

Edit: Wow, after the flush the firewall is working online again. This spyware is elite stuff, I hope some one can really catch it. o_O

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Luke>ipconfig /displaydns

Windows IP Configuration

     z0.extreme-dm.com
     ----------------------------------------
     Record Name . . . . . : z0.extreme-dm.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 2012
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 213.244.183.204


     Record Name . . . . . : z0.extreme-dm.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 2012
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 213.244.183.210


     z8.invisionfree.com
     ----------------------------------------
     Record Name . . . . . : z8.invisionfree.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 81632
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 209.85.48.7


     img1.imageshack.us
     ----------------------------------------
     Record Name . . . . . : img1.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 72
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 38.99.77.74


     ns7.imageshack.us
     ----------------------------------------
     Record Name . . . . . : ns7.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 1173
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 38.99.76.229


     1.0.0.127.in-addr.arpa
     ----------------------------------------
     Record Name . . . . . : 1.0.0.127.in-addr.arpa.
     Record Type . . . . . : 12
     Time To Live  . . . . : 599513
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     PTR Record  . . . . . : localhost


     mycroft.mozdev.org
     ----------------------------------------
     Record Name . . . . . : mycroft.mozdev.org
     Record Type . . . . . : 1
     Time To Live  . . . . : 2891
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 140.211.166.81


     ns.imageshack.us
     ----------------------------------------
     Record Name . . . . . : ns.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 1173
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 38.99.77.75


     img299.imageshack.us
     ----------------------------------------
     Record Name . . . . . : img299.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 39
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 38.99.76.241


     Record Name . . . . . : ns.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 39
     Data Length . . . . . : 4
     Section . . . . . . . : Additional
     A (Host) Record . . . : 38.99.77.75


     Record Name . . . . . : ns2.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 39
     Data Length . . . . . : 4
     Section . . . . . . . : Additional
     A (Host) Record . . . : 38.99.77.75


     Record Name . . . . . : ns3.imageshack.us
     Record Type . . . . . : 1
     Time To Live  . . . . : 39
     Data Length . . . . . : 4
     Section . . . . . . . : Additional
     A (Host) Record . . . : 38.101.111.42

C:\Documents and Settings\Luke>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

Edit Again, that’s the flush. 1.0.0.127 stands out to me as unusual…

Last Edit: I’m off for the night. More tommrow, and maybe I’ll check around some other places if needed.

An empty host file, like the one you have, is good. I don’t know if CFP considers the host file as a protected file or not. It should be.

Good that the dns cache flush helped. The 1.0.0.127.in-addr.arpa is a valid entry. It’s the reverse lookup entry for 127.0.0.1, and says it belongs to localhost. The in-addr.arpa domain is number-to-name reverse lookup. If you want to know what name is associated with IP address 1.2.3.4, you query the pseudo name 4.3.2.1.in-addr.arpa for a PTR (pointer) record, and the answer you get back is the host name.

I’m past my day here. I’ll be back 1800 GMT, thereabouts.

Very interesting, once again my internet has stopped working. This time it freezes up Comodo.
Interestingly the paranoid mode may have paid off, something called rasautou.exe was trying to execute rasautou.exe.
Upon denying this request I was promptly diconnected from the internet. I attempted to re-dial only to find “Port Closed” and “No Dial-Tone” errors. I restarted my computer and was able to get back online, I also found out rasautou.exe is Remote Acess Dialer from Microsoft, I believe it is exploited or being used by my attacking spam zombie.

I am researching Spam Zombies to see if I can find any information on how to stop this one in it’s track and report the infected file(s) for Comodo Labs… so far no luck on them returning my email either.

Edit: After a substantial amount of time googling, I found this:

I think I have a varient of this thing. Check the Analysis PDF, it’s pretty indepth and sounds oh so close…
As of yet the BotHunter seems to only work on Linux though. I’ll see if I can’t get any more information.

“Storm” is what I’ve been expecting to find. Storm itself is relatively old (last year or so). The newer variants are considerably more difficult.

Three things I want to look into.

First up, I want to tighten up the CFP rules, and try to block svchost from doing the malware’s network business. But to do that, I need to get the details on what your CFP configuration. The easiest way to do that, is to run the Config Reporting Script (stocky topic at the top of the v3 Help forum), save the resulting txt report, and post it here.

Then, to do a baseline cleaning of your machine, using the Microsoft “Malicious Software Removal Tool”. It’s available for download at Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830) - Microsoft Support. This will remove some variants of Storm, but probably not the newer ones.

After that, do a virus scan with your installed Avast. Make note of any report, and post that report here. If there are pathnames in the report, try uploading each reported file to http://www.virustotal.com/ . If virustotal can identify the malware, then we can do a goggle for tools.

For a second scan, do an on-line scan from www.kaspersky.com. On a dialup line, this may be a problem, as its about a 25 meg download, and the scan itself can take an hour or two. The “free virus scan” is in the upper right corner on the kaspersky web page. It uses ActiveX, and so has to be accessed with Internet Explorer, rather than some other browser.

That you’re now having connection problems tells me there is still a command channel in place, probably going thru svchost, and not using port 80. We’re going to need to bottle svchost up so things can be stable.

Ok, first up I am downloading Windows Defender (hope this is good). I have ran the Malicious Software Removal Tool in the past and it never caught anything.

I’ve scanned several times with Avast, it claims I’m clean. About the Comodo Script I ran it but it simply gave loads of erros. Line 2622 Char 2 RPC server unavaliable. Then Error 462: Remote server machine does not exist or is unavailable.

I also had Kaspersky from AOL security for the time they had it free. It never caught much. I may try the online scan though when I have the time.

Mean time this Remote Access Dialer is being used to kick me from the internet:

http://img210.imageshack.us/img210/3932/rasoutexefr3.th.jpg

It comes and goes at random. O_o

Weird. The Config Reporting Script doesn’t make use of an RPC server. It just reads the Windows registry, and translates into something readable. Something is messing with it to generate those kinds of errors. That’s not encouraging.

The MSRT got updated about 6 months ago to detect and remove Storm and many of it’s variants. With some notable success, according to reports I’ve heard. I’m not really expecting anything on detection, but on cleaning. If it can clean even some of the malware modular components, that’s a good thing. I don’t know if Defender has the same capability. Defender won’t hurt, and may help.

The full blown Kaspersky package, which AOL had, isn’t exactly the same as the on-line scanner. All the various antivirus packages look for slightly different things. So what one misses, another may catch, or at least give a hint about. At this stage, hints are a good thing.

I’m getting the sense that the malware is getting into its defensive mode. That means that it’s calling home somehow, getting past CFP, and receiving updates to make things difficult. As I get time today, I’ll work up some CFP rules to try to lock the network traffic down further.

Here’s a quick thought. Find all instances of rasauto* files on your machine, and upload each to virustotal. The machine I’m using has only three files, one exe and one dll in \windows\system32, and one dll in \windows\servicepackfiles\i386. You may have more, and/or the system files may be infected. If virustotal says infected, then the infection name is a google search query.

It’s been remarkably busy here for a Friday… I did get a chance to work up some rules to lock down svchost.exe a bit more. So, here goes.

In the Application Rules, click on the line for svchost.exe to highlight it, and then move it to the very top first rule. No chance for a rule override there.

It probably has only one rule in place, to allow outbound traffic. What follows will replace that rule. So things can be undone later, the existing rule(s) will be kept, but nothing will be executed. It’ll take advantage of the rule ordering.

The new rules to insert (and I’ll watch the spacing this time)

1. allow IP Out from IP Any to IP In[12.183.0.0/255.255.0.0] where protocol is any
2. allow IP Out from IP Any to IP In[224.0.0.0/240.0.0.0] where proto is any
3. allow IP Out from IP Any to IP In[127.0.0.0/255.0.0.0] where proto is any
4. allow IP Out from IP Any to IP In[65.52.0.0/255.240.0.0] where proto is any
5. allow IP Out from IP Any to IP 255.255.255.255 where proto is any
6. block&log IP Out from IP Any to IP Any where proto is any
   7+ (these are the existing rules which will never be used - see rule 6)

What this will do, is to limit svchost.exe to talking only to your ISP address space (12.183.0.0), localhost (127.0.0.0), any routing and boot special addresses (224.0.0.0 and 255.255.255.255), and Microsoft auto updates (65.52.0.0).

Anything else will get blocked by that rule 6. That should make it very very hard for malware to get out.

Then, change the setting in Firewall → Advanced / Firewall Behavior Settings to be “Custom Policy Mode”

As the malware tries to get out, you’ll probably get a lot of alerts.

If need be, a default application rule can be put in to block anything that doesn’t have explicit rules. I haven’t worked that up yet, and it may not be needed. It depends on what kind of alerts you get, and what the alerts can tell you about where the malware is coming from in pathnames.

Edit: Added the rule needed for Windows auto update to work.

Ok… first off… something seems to be really messing with Comodo. Everytime I go to add a rule the whole window turns white and I can’t left click on the icon in my taskbar. It usually unlocks after a time, but is causing a great nuisance…

I ran MSRT and it found nothing. Setting Comodo rules now fingers crossed…
I scanned those files via VirusTotal. This is the only one that found anything: http://www.virustotal.com/analisis/03216be35dbfae3ae543201f69fa9433

I’m seeing if we can’t contact some others who would know something about it too. Some people who know about botnets.

Even that is more useful data. If it is a Storm variant, then it is one of the newer variants if MSRT didn’t catch it. And it seems to have some kind of defensive ability against CFP v3, which isn’t that old. Which again implies a newer variant. That should narrow the research area a bit. Looks like I’ve got a research hobby this weekend.

Here’s hoping those revised rules for svchost will help. As long as the malware can update itself and has a command channel, it’s going to be much tougher to nail it down. Not impossible, though.

Again, end of my day. I’ll be back tomorrow, at the usual 1800 GMT.

Hello Again,
My Dad started researching “Storm” a bit with us also and says he appreciates all of your expertise.
Our first spyware that we knew of started in 1998/1999 when we had TSADBot and it’s Dialer connecting to a remote location, turns out this spyware was picked up from a game we purchased by the company e-Games. We also had been using OptOut by Steve Gibson before he turned it over to Lavasoft, but we’ve never seen anything quite like this…

Also, you may find this Wikipedia page of interest on explaining the original botnet:

Also, some information on it here:

And a poisoning technique here:

I think it may be possible to take over the botnets command and control tunnel. If possible I may be able to remove it from my computer and trace back the guy doing it.

BTW: You know anyone that wants to give us a few $$$ and a new hardrive to take a security anaylisis on my this computer? lol. (:LGH)

A couple of more diagnostics to try.

Deckard’s System Scanner, available for download at http://www.techsupportforum.com/sectools/Deckard/dss.exe is a more extensive version of HiJackThis. It will produce two files, a main.txt and an extra.txt. Run the scan, and post both files.

And something a little more esoteric, PrevxCSI Free which can be downloaded from their web page at http://www.prevx.com/freescan.asp It’s about 600kbytes in size, and runs in just a couple of minutes. It tends to check things that over scanners don’t check. If it finds something, then post the report back here.

I looked at the VirusTotal report. One entry, saying “Blockreason.0”, which I don’t understand. Nothing else tagged the file as a virus, meaning it’s either a legit file, or something so new that nobody recognizes it (which seems to happen more often these days).

I ran DSS, and uploaded the 3 output files here:
http://rapidshare.com/files/117314736/DSS_Logs.zip.html
Nothing seems overly unusual, I reset my homepage to my ISP instead of google.com. :-\

Anyhow, I ran PrevxCSI it said no detections found on their real time database scanner.

I am also trying to get in touch with Steve Gibson and the NetTools guy. A malware like this requires several g33ks input. ;D

Edit: I may head out for a bit of fresh air later this afternoon and take a walk. Meanwhile, I am wondering if you (or some one you know) is able to compile Nepenthes for windows. Check it out here: http://nepenthes.mwcollect.org/

It was able to catch a few botnets, I’m wondering if it could dump any information on ours.

Two things I forgot to mention:
First off PrevxCSI is running in background and keeps trying to update.

And secondly while I was running some nmap tests on that server 67.210.97.77 last night, my ISP had a DoS. It knocked them offline for quite a few hours and my Dial-Up kept saying “All Circuits are busy now”… Just before it happened Remote Access Dialer was detected trying to Launch Remote Access Dialer via Comodo.

Edit Again: There may be other tools besides Nepenthes…
http://www.honeynet.org/tools/index.html ← List of them. Just tell me if I should run one of them.

The Deckards log has a couple of anomalies. I’ve doing some digging trying to make sense of them. What’s your H: and Z: drives? There’s some registry entries defined for them, and I need to some context to make sense of it.

If you read down the page on the Wikipedia entry on Storm, you’ll see that a DDos attack is one of it’s defense mechanisms. To properly trace the C&C hosts back, the safest way to do it, is physically getting your hands on the machine, and that usually takes law enforcement powers. There are botnet research and investigation efforts underway that do that very thing, with those powers. If you want to get some sense of Storm (and it’s variants, and competitor botnets) defensive capabilities, I’ll refer you to this article from last year http://www.networkworld.com/news/2007/102407-storm-worm-security.html

Re PrevxCSI. You can let it update, or kill off the process. Your choice. It may be useful later, so it’d be good to keep it around, for now.

Try this here Norman Maleware Cleaner http://download.norman.no/public/Norman_Malware_Cleaner.exe

Also try a-squared Free http://www.emsisoft.com/en/software/download/ and there a-squared HiJackFree http://www.emsisoft.com/en/software/download/

Post a log here if those pick up anything. Also post a log from a-squared if it picks up anything and one from HiJackFree on emsisoft’s forum and let them look at it.

Anyway hope those help.

[ at ]grue155: I have MagicISO and virtual Drive F:. But to my knowledge there is no drive H: or Z:. ???
I guess I’ll need to contact the FBI to stop the C&C computer though, lol.

Ermm… about those honeypots? What do you think of setting one up, if it infects the virtual computer we will know what was infected and I can send it to some computer forensics lab.

[ at ]ghostrider: I have had a-sqaured before as well. Also, I have ran 3 versions of hijack this. But I guess I’ll give it a go anyhow… thnx for the post.

Edit: Here’s the a-squared log
http://analyze.hijackfree.com/analyze/?id=3ddd797b-5930-41a9-983e-8b7a7decfa2a
“It will stay online for 7days” or so it says.

I should have picked up on this some time ago…

Upload C:\WINDOWS\SYSTEM32\uniime32.dll to virustotal and see what it is. Google search says you’re the only person on the planet that has one, and that’s a real bad sign for a legit file.

Deckards is showing residual entries in your registry for H and Z drives, at the end of the main.txt. there’s also a reference to “portableapps” on G:. Could be a bunch of legit things like USB sticks or network shares. Or it could be bad news.

Honeypots can be very entertaining, but time consuming. From what I’ve seen being used, honeypots work best on a LAN with at least two or three machines (one bait, one monitor, and something as a firewall or packet trap). And then, with the collected data, what to do with that data. There are botnet tracker forums, but I haven’t had the time to follow thru.