Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-23-2014, 22:33
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Firewall leak problem

I'm having a problem with a program that is able to bypass my firewall without asking for permission first. Well, not the program is the problem, but the fact that probably any malware could do it the same way.

First some basics:
The program comes as x86 and x64 version.
The program can be installed, but also runs as "portable" software.
The program does not need admin privileges to run or to bypass the firewall.
Every version is able to connect by HTTP port 80 to a webserver located on the internet.

Now the story:
I was running the program and used "check for updates" from the help menu. It told me "you're running the latest version". I was confused, since my firewall didn't pop up and ask me if I wish to allow internet access to the program.

Then I started my network monitor and did the update check again. I could clearly see a connection to port 80, HTTP protocol, requesting "/update.php" and a response from the server with the current version number.

Then I fired up my connection monitor, tried again and found out that the connection is made by the file "svchost.exe". I thought of some trojan using the same name, but it turned out that the real Windows service was the one which initiated the connection.

Since "svchost.exe" acts a proxy for many different services, I checked the process ID which had initiated the connection and ended up at "ProfSvc", the User Profile Service.

Since this is an essential Windows service which you cannot turn off and which you cannot deny network access to without crippling your system I'm now stuck.

Does anybody know how you can access the internet with the help from this service and how to prevent it?

Like I said before, a legitimate software is using this way to check for updates, it's not a trojan hourse or something like that.
Reply With Quote
  #2  
Old 09-24-2014, 00:44
The Old Pirate The Old Pirate is offline
Family
 
Join Date: Sep 2005
Posts: 120
Rept. Given: 51
Rept. Rcvd 73 Times in 22 Posts
Thanks Given: 9
Thanks Rcvd at 18 Times in 10 Posts
The Old Pirate Reputation: 73
First thought that came to my mind was that the program might be using BITS (Background Intelligent Transfer Service).

Are you sure about ProfSvc?
__________________

http://youtu.be/H0QfVDebLFg

Last edited by The Old Pirate; 09-24-2014 at 01:28.
Reply With Quote
  #3  
Old 09-24-2014, 01:27
SubzEro
 
Posts: n/a
look here

Reply With Quote
  #4  
Old 09-24-2014, 01:43
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
Edit HOSTS file in windows and add the IP to localhost . you are done .
Reply With Quote
  #5  
Old 09-24-2014, 02:14
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
I'm not trying to block this software. That's one of the reasons I didn't name the software here. This software is legitimate and I would have allowed it internet access if my firewall asked for it. Or why should I willingly click on "check for updates" if I didn't want it to access the internet?

I'm trying to block any other (possible malicious) software from using the same approach to access the internet, since obviously my firewall would allow any other traffic using this method without asking me.

@The Old Pirate:
I checked the Thread-ID, unless something was showing up wrong only ProfSvc had an active connection to the IP address.
Reply With Quote
  #6  
Old 09-24-2014, 03:26
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
My bad . this may not be an exact answer but i hope these docs will help you

http://www.nirsoft.net/dll_information/windows8/profsvc_dll.html

http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

Since you said ProfSvc.dll is initiating the connection , all that comes to my mind is a compromised dll or hooked one . I dont see any reason for windows dlls to connect to 3rd party software and aid them in updating .

More details or exact behavior will help in determining the problem. i will suggest you to use an api logger to check the program behavior .
Reply With Quote
The Following User Gave Reputation+1 to Conquest For This Useful Post:
niculaita (09-26-2014)
  #7  
Old 10-19-2014, 23:48
ArC ArC is offline
VIP
 
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
Does the binary of the application in question happen to be signed maybe? I don't know what firewall you use, but Comodo Firewall for example automatically adds executables signed by 'trusted vendors' to its internal database of safe files and allows them to access the internet without confirmation. Thankfully this behaviour can be disabled.
Reply With Quote
  #8  
Old 10-20-2014, 18:19
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Like I already said, not the software itself but svchost.exe is the one initiating the connection. I can't find any suspicios services, so I assume the connection is made by using some documented or some undocumented (but open) service calls.
Reply With Quote
  #9  
Old 01-07-2015, 17:03
wd369
 
Posts: n/a
May be this software is using a another http program/component to access Internet.
Reply With Quote
  #10  
Old 01-08-2015, 23:08
LaDidi LaDidi is online now
VIP
 
Join Date: Aug 2004
Posts: 210
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 46
Thanks Rcvd at 41 Times in 24 Posts
LaDidi Reputation: 11
@Kerlingen:
Hi,

What is your operating system ?
Sure you don't use windows firewall ?
If it's SvcHost, maybe it used a COM component.
Give the name of the proggy and we can try.

Regards.

Last edited by LaDidi; 01-08-2015 at 23:15.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iOS iBoot Source code leak - Probably termed as the biggest leak in the history foosaa Source Code 13 03-14-2018 01:02
Would you use a Firewall that had a cracked .dll? Rhodium General Discussion 18 03-03-2004 00:00
Best firewall? Your opinion FEARHQ General Discussion 8 11-10-2002 06:14


All times are GMT +8. The time now is 15:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )