When security firms offer bad advice.

So I’m reading /. and I ran into the following article: http://slashdot.org/article.pl?sid=04/03/17/1942232&mode=nested&tid=126&tid=128&tid=172&tid=185&tid=190&tid=201

In the article is a link to someone known as the “LURQHQ Thread Intelligence Group” who posts this analysis of the “Phatbot” trojan.

I was fascinated by the capabilities of the Trojan, but thought very little of it, until I ran into the following in the alert:

Manual Removal
Look for the following registry keys:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process 
 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process 

The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the “Generic Service Process” registry key. Remove the executable from the Windows system directory.

Here’s the problem.  Windows has an internal component called “svchost.exe”, which is known as the “Generic Host Process for Win32 Services”.  A naive user looking to see if their system is infected with this Trojan would see the 6 or so copies of svchost.exe running on their system and assume that they were infected.

And the next thing they’d do is to kill those processes, just like the advisory says.  Well, what are some of the services they’d be killing?

·         AUDIOSRV – the windows audio service.  This goes and bye bye audio.

·         DHCP – The Dynamic Host Configuration Protocol.  Say good by to your TCP/IP networking.

·         LanmanServer – The file and print server.  If you’ve got a networked printer on your machine, nobody’s printing on it any more.

·         LanmanWorkstation – The CIFS client.  If that one goes, you’re not accessing remote file&print services.

·         ShellHWDetection – This blows away autorun

·         Spooler – You’re not printing any more.

And there’s a lot more, those are just the highlights.

One of the more insidious parts of this problem is that even if the user’s machine survives killing all the svchost processes, the next thing the advisory tells the user to do is to delete the file.

But Windows has this really cool feature that’s intended to prevent you from messing up your machine called “Windows File Protection”.  In a nutshell, this feature automatically copies critical system files if they’re deleted or overwritten.  And, you guessed it – svchost.exe is a critical system file.

So here’s the user following the advice from the security company who removes svchost.exe.  And 30 seconds later, the file’s right back where it was!

So what is the ONLY interpretation that they could have?  Remember – they believe that this file is a Trojan horse and it’s endangering their system.  The only interpretation they could possibly have is that the Trojan has somehow REINFECTED their machine.  They try to delete the file again and again and again.  And they never get anywhere.  So the next thing they do one of two things:

1)      They call Product Support and spend lots of money to discover that there’s no real problem, or…

2)      They write up an email about this hideous Trojan horse called svchost.exe that’s installed on their machine that they can’t remove and asking their friends for help.

And thus another JDBGMGR.EXE or SULFNBK.EXE hoax is born.  Only this time the component IS a critical windows component instead of a relatively minor unused system utility.



Comments (7)

  1. Anonymous says:

    not sure this is so bad. The advisory refers to specific registry keys, containing a variation of ‘svrhost.exe’. If you don’t have this key (I believe normal machines don’t) you don’t have the virus. Perhaps they need to clarify that the variation of ‘svrhost’ is not including ‘svchost’, but they don’t actually say to delete ‘svchost’.

    But it’s really far from the jdbgmgr hoax, as you genuinely do have a virus if the steps in their instructions are present on your machine.

    So hoax? I think not

  2. Anonymous says:

    The registry key advice is ok, my heartbeat is with the comment "a variation of the same". As soon as they said those words, svchost.exe becomes a really easy variation on srvhost.exe.

    I’m sure that the trojan’s authors were counting on this confusion actually.

    And the advisory DIDN’T say "not svchost". They said a variation of srvhost.exe. Which means that my mother will be sending me mail to delete that evil virus svchost.exe from my machine sometime soon.

  3. Anonymous says:

    I guess the question is then why are all of these processes (dhcp, lanman, etc) renamed to svchost instead of giving us their true names? Why keep the information hidden?

  4. Anonymous says:

    They’re not. They’re colocated in the same process.

    Instead of taking up one process per service, the services are glommed together into the same process.

    If you have the NT resource kit, you can use the tasklist command to find out what services are running in what process – use "tasklist /svc", it’ll tell you what services are running in what process.

  5. Anonymous says:

    Also, Process Explorer from http://www.sysinternals.com can tell you. A handy near-replacement for the standard Task Manager, with a lot more capabilities. One of the top tools in my toolkit.

  6. Anonymous says:

    Some sneaky trojans *are* using "svchost.exe", but in the windows directory instead of system32. Since task manager doesn’t show the path, it’s hard to tell the difference.

  7. Anonymous says:

    this command is very useful on w2k box

    if the reskit is installed:

    tlist sv*host | find "ine"