Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How can some processes run behind the scenes?

Posted on 2006-06-16
Medium Priority
Last Modified: 2013-11-15
I'm familiar with processes that run as applications and others that run as a service.  I don't understand the gorey details involved here but I know that if I want to disable either one, I can usually do so from MSConfig, the registry, or the services console.

But explain to me how a virus like SmitFraud can run underneath these types of processes, or shall we say overtop.  SmitFraud will actually start in safe mode.  It isn't in any of the run or runonce keys and isn't defined as a service in the services.  So where is it?

I did have to deal with this virus the other day and found a removal tool that worked well.  Just wish I could understand where such a process resides.  I believe that some security software and internet content filtering software use this same scheme.  I find them very undetectable, other than the obvious results that show on your screen, if any do.
Question by:HKComputer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1

Author Comment

ID: 16920769
Does it take a common .DLL found on windows machines and replace it with a new maclicious one?  But similar enough to run "as normal", fairly much so!?

Expert Comment

ID: 16921293
yep, it adds itself to that file.
LVL 32

Accepted Solution

r-k earned 1200 total points
ID: 16923046
Yes, many traditional viruses work like that, by modifying legit files. However, there are many other ways as well:

(1) Rootkits: The malware installs a bunch of programs, and a low-level driver that intercepts system calls and modifies them such that those files (and the driver itself) are hidden from view. For example, when you try to look for files with Windows Explorer, it hides the files that are in certain folders. When you look with Msconfig or even Regedit, it hides certain registry entries. The malware becomes "invisible" with all traditional tools. The only ways to detect it are by looking for it after attaching the drive to another clean system, or by special programs like RootkitRevealer.

(2) ActiveX controls and dlls: These are not programs by themselves, but pieces of executable code that are run on demand by other legit programs. As such, you will  not find them listed in Task Manager or Msconfig. A popular target is Internet Explorer.

(3) By modifying networking files, such as the Hosts file, or the network dll's, to steer you to Adware web sites.

The fact is that there are well over 50 places in the Registry where malware can get launched from, and the Run and RunOnce keys are just the tip of the iceberg. Msconfig shows only a small fraction. Autoruns from sysinternals.com is much better, but even that can miss some.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 16938926
Am I losing my mind?  A user had posted something on this one about SmitFraud that I'm not seeing now, just before my first comment.  Where did it go?  I happen to have a copy of it in my email although I altered the last line:

Comment from Todd_Bunch
Date: 06/16/2006 07:49AM PDT

Smitfraud is a spyware program that infects the Windows file WININET.DLL with the virus detected as W32/Smitfraud.A.

The infected DLL (Dynamic Link Library) hooks all the calls to the function HttpSendRequest, and as a result the spyware is able to log the web pages accessed by the user and send this information to a server, or download and run a file that installs a so-called antispyware program on the computer, stealthily and without user consent.

This program changes the Windows Desktop to a picture that simulates a Windows fatal error, warning users that they have been affected by Trojan-Spy.HTML.Smitfraud.c. These kind of messages attempt to trick users into purchasing the fake antispyware program.

Smitfraud is installed in the affected computer by an adware program, detected as CWS.YEXE, which is usally gotten by visiting some adult sites or installing software from file sharing networks.

I do have a question yet.  When we talk about an infected dll, I thought a dll is compiled just like an exe.  So does the virus:

(A) Replace the original dll
(B) Dynamically alter the code that exists in the dll, on the fly? (seems impossible)
(C) Install a file that intercepts all calls to a certain dll

Author Comment

ID: 16939097
I appreciate the administrative comment and you are forgiven. :-)

If you feel to further modify this page now, go ahead.
LVL 47

Expert Comment

ID: 16939358

Todd_Bunch was informed straightaway after I deleted his post on 06/17/2006 06:53AM PDT

Don't know why he didn't post again with the synopses or the link to his source.
LVL 32

Assisted Solution

r-k earned 1200 total points
ID: 16939967
Yes, I too noticed the original comment was gone, but just thought it was some database problem at EE.

Here is my thought on your most recent question (hoping rpggamergirl does not delete it :))

(A) Replace original dll - This can be done by a virus. It is normally not possible to replace system dll's because they are in use by the system, but some are not, and others can be replaced at boot time by having malware that works in tandem. Since Win/2000, the Windows File Protection (WFP) feature has made it harder to replace system dll's, but I it is certainly not impossible.

(B) alter the code that exists in the dll - this is the common way in which viruses used to work, and is still possible, though slightly more tricky because of WFP. Do a search for "code injection" and you'll find plenty of examples. Before the days of fast networks and large updates, most system patches were distributed this way.

(C) Install a file that intercepts all calls to a certain dll - A clear example of this is the following quote from Mark Russinovich (see links below):
"One method used by many root kits to hide malware is to scan a process's import table and replace the references to key system DLL functions with pointers to root kit functions that it implements in its own DLL or that it has written directly into the address space of the process. After a process has been hooked in this manner, known as DLL import hooking,"

So, to summarize, all three of the above are possible, and in fairly wide use. And there are many other tricks in addition to the above three that malware writers are using.

Some links:

WFP: http://support.microsoft.com/?kbid=222193
Article by Mark Russinovich: http://www.windowsitpro.com/Windows/Article/ArticleID/46266/46266.html

Assisted Solution

Todd_Bunch earned 800 total points
ID: 16941871
My most sincere apology for making a post without adding the link. It will not happen again, being new to this forum and wanting to contribute I made the mistake of copying and pasting the answer to a problem without giving credit to the source.

This is the link to the source information

rpggamergirl, I tried to respond to your message but the e-mail was returned.


Author Comment

ID: 16942452
This particular topic is one that fascinates me, but it's so far out of my realm that I didn't really know where to start reading.

What I like about EE is that I can ask a question like this and then without having to read through a whitepaper that is 11 pages long and bores you to tears with details that are above your head, I'm able to get answers from other people who are reading the 11-page whitepapers (and somehow not bored to tears) and I get short but detailed answers to such questions.  It's great!

Thanks to the volunteers at EE.
LVL 47

Expert Comment

ID: 16956375
>>rpggamergirl, I tried to respond to your message but the e-mail was returned.<<
I have no idea why it didn't reach me, anyway don't worry about it.

>>I made the mistake of copying and pasting the answer to a problem without giving credit to the source. <<
It happens to many people that are just starting at EE, no harm done.
Please keep on answering Questions and don't be put off because of little mistake, we all do.
Your contributions to EE is very much appreciated!,  
Have fun! :)

Yes EE is great and thanks to the Experts who volunteer and share their expertise to help the Askers.
LVL 32

Expert Comment

ID: 16956404
"I didn't really know where to start reading"

Just noticed this statement. The link by M.Russinovich I posted above is a great place to start.

Another site though maybe a bit technical is http://www.rootkit.com/ though be careful if you download something, it may infect your PC :)

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question