Solved

How can some processes run behind the scenes?

Posted on 2006-06-16
12
383 Views
Last Modified: 2013-11-15
I'm familiar with processes that run as applications and others that run as a service.  I don't understand the gorey details involved here but I know that if I want to disable either one, I can usually do so from MSConfig, the registry, or the services console.

But explain to me how a virus like SmitFraud can run underneath these types of processes, or shall we say overtop.  SmitFraud will actually start in safe mode.  It isn't in any of the run or runonce keys and isn't defined as a service in the services.  So where is it?

I did have to deal with this virus the other day and found a removal tool that worked well.  Just wish I could understand where such a process resides.  I believe that some security software and internet content filtering software use this same scheme.  I find them very undetectable, other than the obvious results that show on your screen, if any do.
0
Comment
Question by:HKComputer
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 4

Author Comment

by:HKComputer
ID: 16920769
Does it take a common .DLL found on windows machines and replace it with a new maclicious one?  But similar enough to run "as normal", fairly much so!?
0
 
LVL 2

Expert Comment

by:Todd_Bunch
ID: 16921293
yep, it adds itself to that file.
0
 
LVL 32

Accepted Solution

by:
r-k earned 300 total points
ID: 16923046
Yes, many traditional viruses work like that, by modifying legit files. However, there are many other ways as well:

(1) Rootkits: The malware installs a bunch of programs, and a low-level driver that intercepts system calls and modifies them such that those files (and the driver itself) are hidden from view. For example, when you try to look for files with Windows Explorer, it hides the files that are in certain folders. When you look with Msconfig or even Regedit, it hides certain registry entries. The malware becomes "invisible" with all traditional tools. The only ways to detect it are by looking for it after attaching the drive to another clean system, or by special programs like RootkitRevealer.

(2) ActiveX controls and dlls: These are not programs by themselves, but pieces of executable code that are run on demand by other legit programs. As such, you will  not find them listed in Task Manager or Msconfig. A popular target is Internet Explorer.

(3) By modifying networking files, such as the Hosts file, or the network dll's, to steer you to Adware web sites.

The fact is that there are well over 50 places in the Registry where malware can get launched from, and the Run and RunOnce keys are just the tip of the iceberg. Msconfig shows only a small fraction. Autoruns from sysinternals.com is much better, but even that can miss some.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 16938926
Am I losing my mind?  A user had posted something on this one about SmitFraud that I'm not seeing now, just before my first comment.  Where did it go?  I happen to have a copy of it in my email although I altered the last line:

*****************************************************************************
Comment from Todd_Bunch
Date: 06/16/2006 07:49AM PDT

Smitfraud is a spyware program that infects the Windows file WININET.DLL with the virus detected as W32/Smitfraud.A.

The infected DLL (Dynamic Link Library) hooks all the calls to the function HttpSendRequest, and as a result the spyware is able to log the web pages accessed by the user and send this information to a server, or download and run a file that installs a so-called antispyware program on the computer, stealthily and without user consent.

This program changes the Windows Desktop to a picture that simulates a Windows fatal error, warning users that they have been affected by Trojan-Spy.HTML.Smitfraud.c. These kind of messages attempt to trick users into purchasing the fake antispyware program.

Smitfraud is installed in the affected computer by an adware program, detected as CWS.YEXE, which is usally gotten by visiting some adult sites or installing software from file sharing networks.
****************************************************************************


I do have a question yet.  When we talk about an infected dll, I thought a dll is compiled just like an exe.  So does the virus:

(A) Replace the original dll
(B) Dynamically alter the code that exists in the dll, on the fly? (seems impossible)
(C) Install a file that intercepts all calls to a certain dll
0
 
LVL 4

Author Comment

by:HKComputer
ID: 16939097
I appreciate the administrative comment and you are forgiven. :-)

If you feel to further modify this page now, go ahead.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939358
Thanks.

Todd_Bunch was informed straightaway after I deleted his post on 06/17/2006 06:53AM PDT

Don't know why he didn't post again with the synopses or the link to his source.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 300 total points
ID: 16939967
Yes, I too noticed the original comment was gone, but just thought it was some database problem at EE.

Here is my thought on your most recent question (hoping rpggamergirl does not delete it :))

(A) Replace original dll - This can be done by a virus. It is normally not possible to replace system dll's because they are in use by the system, but some are not, and others can be replaced at boot time by having malware that works in tandem. Since Win/2000, the Windows File Protection (WFP) feature has made it harder to replace system dll's, but I it is certainly not impossible.

(B) alter the code that exists in the dll - this is the common way in which viruses used to work, and is still possible, though slightly more tricky because of WFP. Do a search for "code injection" and you'll find plenty of examples. Before the days of fast networks and large updates, most system patches were distributed this way.

(C) Install a file that intercepts all calls to a certain dll - A clear example of this is the following quote from Mark Russinovich (see links below):
"One method used by many root kits to hide malware is to scan a process's import table and replace the references to key system DLL functions with pointers to root kit functions that it implements in its own DLL or that it has written directly into the address space of the process. After a process has been hooked in this manner, known as DLL import hooking,"

So, to summarize, all three of the above are possible, and in fairly wide use. And there are many other tricks in addition to the above three that malware writers are using.

Some links:

WFP: http://support.microsoft.com/?kbid=222193
Article by Mark Russinovich: http://www.windowsitpro.com/Windows/Article/ArticleID/46266/46266.html
0
 
LVL 2

Assisted Solution

by:Todd_Bunch
Todd_Bunch earned 200 total points
ID: 16941871
My most sincere apology for making a post without adding the link. It will not happen again, being new to this forum and wanting to contribute I made the mistake of copying and pasting the answer to a problem without giving credit to the source.

This is the link to the source information
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=77495&sind=0

rpggamergirl, I tried to respond to your message but the e-mail was returned.

Thanks
Todd
0
 
LVL 4

Author Comment

by:HKComputer
ID: 16942452
This particular topic is one that fascinates me, but it's so far out of my realm that I didn't really know where to start reading.

What I like about EE is that I can ask a question like this and then without having to read through a whitepaper that is 11 pages long and bores you to tears with details that are above your head, I'm able to get answers from other people who are reading the 11-page whitepapers (and somehow not bored to tears) and I get short but detailed answers to such questions.  It's great!

Thanks to the volunteers at EE.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16956375
>>rpggamergirl, I tried to respond to your message but the e-mail was returned.<<
I have no idea why it didn't reach me, anyway don't worry about it.


>>I made the mistake of copying and pasting the answer to a problem without giving credit to the source. <<
It happens to many people that are just starting at EE, no harm done.
Please keep on answering Questions and don't be put off because of little mistake, we all do.
Your contributions to EE is very much appreciated!,  
Have fun! :)

HKComputer,
Yes EE is great and thanks to the Experts who volunteer and share their expertise to help the Askers.
Enjoy!
0
 
LVL 32

Expert Comment

by:r-k
ID: 16956404
"I didn't really know where to start reading"

Just noticed this statement. The link by M.Russinovich I posted above is a great place to start.

Another site though maybe a bit technical is http://www.rootkit.com/ though be careful if you download something, it may infect your PC :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Viewers will learn how to use the Hootsuite Dashboard.
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now