Solved

Idle or NOT?!

Posted on 2006-11-10
10
1,031 Views
Last Modified: 2012-05-05
Bottom line I've been analyzing a hack that appears to be related to WMF/CHM exploits.  While doing so I happened to catch a number of active TCP connections attached to PID 0 (System Idle Process).

I thought "System Idle Process" was, essentially, a placeholder for reflecting 'unused' CPU cycles.  Can someone explain why it would reflect active TCP connections via 'process explorer'?

I don't want to waste time analysing the hack so, if the TCP connections related to PID 0 are 'normal', it would help to know that.

XP PRO SP2 (current).  NIS 2006 (current).  Trojan-hunter (current).  At the time was running TCPVIEW and PROCESS EXPLORER and this was shortly after boot.

Thanks.
0
Comment
Question by:jrs_50
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 17917458
Technically, the 'System Idle Process' is a process, Windows' process table has an EPROCESS entry for it which is referenced vial the 'PsIdleProcess' kernel variable. It has to be one, since the scheduler needs to be a ble to switch to it, even though the only thing that this process executes is the 'HLT' instruction. See also http://download.microsoft.com/download/5/b/3/5b38800c-ba6e-4023-9078-6e9ce2383e65/C06X1116607.pdf ("Microsoft Windows Internals, Fourth Edition"), chapter "Process Internals"
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17917567
Thanks.  BUT I already knew it was a 'process'.  What I am TRYING to understand is why it would reflect active TCP connections.  You are correct, in a sense, that AS a process it CAN do things.  On the other hand, it doesn't seem reasonable to me that it would do much other than act as an IDLE placeholder.
0
 
LVL 86

Expert Comment

by:jkr
ID: 17917698
Since it is a process, there is the chance to inject any kind of code into its address space (yet that is not trivial in this case). Another possibility would be that a rootkit manipulates the information you see and the connections in fact belong to a different process.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 4

Author Comment

by:jrs_50
ID: 17917840
As I mentioned; I AM dealing with an active hacking scenario.  Not detected by any of the major/minor virus/spyware/trojan/rootkit scanners (including spyware doctor which SAYS it can detect CHM related malware - and I'm fairly convinced at this point that a CHM exploit is, at least, part of the problem).

Are you agreeing with me that, in effect and without regard to the how/why, the active TCP connections reflected as being attached to PID 0 are, in fact, NOT 'normal'?

I'm wondering if it could, somehow, be related to Norton/Symantec liveupdate but so far as I can determine LU was completed at the point I noted the problem and I did not note the problem while LU was running which was about a minute prior.
0
 
LVL 86

Assisted Solution

by:jkr
jkr earned 200 total points
ID: 17917904
>>As I mentioned; I AM dealing with an active hacking scenario.

That was clear ;o)

>>Are you agreeing with me that, in effect and without regard to the how/why, the active TCP connections
>>reflected as being attached to PID 0 are, in fact, NOT 'normal'?

I'd even say that this is quite unusual and quite amazing. I'd however check for rootkit activity to be sure that PID 0 was responsible for that behaviour.
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17918144
Understood.

Interestingly; returning to my desktop after closing out of IE I ran process explorer again to check properties on PID 0.  A few seconds later PID 0 reflected TCP connections (EE amongst them).  I'm wondering, now, whether or not this might, somehow, be tied to the final closing of the ports.  Although, I can't quite picture any 'normal logic' to that scenario.  I would think that would be handled by svchost or something OTHER than PID 0.  Or; as suspected SOMETHING (rootkit or otherwise) is 'distorting' the information/process.

I'm going to leave this question open for a bit to see if anyone else checks in with thoughts on it.  But, it is helpful to know I'm not the only one who finds the situation 'unusual and amazing'.  Thanks for the input.  I may not check back this evening.  I've got to disconnect from the net to pursue some other analysis.  I will, however, check back soon.  
0
 
LVL 15

Accepted Solution

by:
venom96737 earned 300 total points
ID: 17921209

In some rare circumstance, Windows XP doesn't clean up all its sockets correctly after an application has closed. This has the effect of Port Explorer or process explorer showing a socket with an asterix and no filename because the application is closed yet Windows XP is reporting that the closed application owns the socket(s). Usually after your internet connection has been disconnected the 'blank' socket(s) will be cleaned up by Windows XP. it's a Windows XP issue. To check this, whenever you see a blank socket go to your command prompt and type "netstat -ano" (without quotes). You should see the sockets which have the same PID as the blank sockets in Port Explorer. If you look in Windows Task Manager (Ctrl+Alt+Delete | Task Manager) you will see no process that has the PID that netstat and Port Explorer process explorer report.

In other words xp has a problem cleaning up its sockets and it will show that a blank or PID 0 is using it when in all actuality it is not.
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17921868
I didn't think of the 'n' and had this available from an 'ao' from this AM.  I modified a bit for security purposes but the following is essentially complete.  Am I understanding you correctly that this is, if not normal, at least reasonable.  I don't have the corresponding image from process explorer but, basically, process explorer would reflect the '0' connections on the System Idle Process properties view with the same LA/FA info.

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    cot:epmap     cot:0         LISTENING       876
  TCP    cot:microsoft-ds  cottage-lt-1:0         LISTENING       4
  TCP    cot:1025      cot:0         LISTENING       1608
  TCP    cot:1025      localhost:1039         TIME_WAIT       0
  TCP    cot:1025      localhost:1041         TIME_WAIT       0
  TCP    cot:1025      localhost:1043         TIME_WAIT       0
  TCP    cot:1025      localhost:1049         TIME_WAIT       0
  TCP    cot:1025      localhost:1053         TIME_WAIT       0
  TCP    cot:1025      localhost:1055         TIME_WAIT       0
  TCP    cot:1025      localhost:1057         TIME_WAIT       0
  TCP    cot:1025      localhost:1059         TIME_WAIT       0
  TCP    cot:1025      localhost:1067         TIME_WAIT       0
  TCP    cot:1025      localhost:1071         TIME_WAIT       0
  TCP    cot:1025      localhost:1079         TIME_WAIT       0
  TCP    cot:1025      localhost:1081         TIME_WAIT       0
  TCP    cot:1025      localhost:1083         TIME_WAIT       0
  TCP    cot:1027      cot:0         LISTENING       2012
  TCP    cot:1028      cot:0         LISTENING       2440
  TCP    cot:netbios-ssn  cot:0         LISTENING       4
  TCP    cot:1038      xxx-akamai-39.xxxi.net:http  TIME_WAIT       0
  UDP    cot:microsoft-ds  *:*                                    4
  UDP    cot:isakmp    *:*                                    632
  UDP    cot:1029      *:*                                    1036
  UDP    cot:4500      *:*                                    632
  UDP    cot:ntp       *:*                                    960
  UDP    cot:ntp       *:*                                    960
  UDP    cot:netbios-ns  *:*                                    4
  UDP    cot:netbios-dgm  *:*                                    4

Incidentally, until yesterday (after taking some steps to alter the hack/malware/spyware/whatever activity) netstat was not reporting connections, NIS was only reporting some (still true), and I was using process explorer because it, at least seemed reasonable if I picked the right process.  Finding the connections on System Idle was actually accidental.  With everything else I've been dealing with you might understand that, not expecting to see connections on System Idle I NEED some clarification.  It still seems 'odd' to me that the sockets are fairly consistently 'not cleaned up correctly' but I can understand PE attaching the info to the 'relevant' PID even though it isn't 'relevant'.  

As long as the infor has been posted anyway does anyone see anything else 'odd' besides the PID 0?

Thanks for the feedback.
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17981173
Sorry for the delay.  Was reinstalling.  Got re-hacked. :=(

Thanks for the feedback.
0
 

Expert Comment

by:srivijayagoru
ID: 20686832
This is a normal report for the TIME_WAIT state: "The TIME_WAIT state is a state that all the TCP connections enter into when the connection has been closed.". It's stopped being displayed against its original process, which might well have exited, and shows against PID 0.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question