Malware, spyware and virus practices

Process name camouflage

There is a well known practice which consists in naming a trojan, spyware or virus with a common process name. That way the malware is unnoticed in a process list.

Let's say a malicious sofwtare programmer makes a trojan which installs on a Windows computer and starts every time Windows is restarted. Suppose this programme waits for a given date before erasing the hard disk drive. If this process is named "dieNowHD" and a normal user checks Windows' runnning process list he may suspect something strange. Now, if the process is named "ahtt32" he won't be alarmed. But it can be subject of investigation by a more experienced user. Finally, what if the programmer named the malware "svchost.exe". Let me tell you it will be hard to find out.

How can it be possible to exist more than one process with the same name? Well both process are placed in different locations — they are under different paths.

The first problem is Windows doesn't show the full path of a process therefore it's hard to know if the svchost.exe process was launched form "C:\WINDOWS\" or "C:\TEMPX\". When a unexperienced user takes a look to its process list, he'll just see several svchost.exe process running not knowing that one of those isn't the real svchost.exe but a trojan or spyware.

The first rule is: always check the full path of a running process.

But there is more tricky stuff yet. Because an even evilest programmer can put the corrupted svchost.exe programm in the Windows installation directory. Yes, just beside the proper svchost.exe file. An now you should be asking yourself how is it possible. Well, he can add a space to the process name at the start. That way he can put " svchost.exe" beside "svchost.exe", start the first and you won't noticed.

Directory of C:\Clasdix\BitBox\test

29/01/2008  11:32    <DIR>          .
29/01/2008  11:32    <DIR>          ..
17/10/2007  22:56                30  svchost.exe
17/10/2007  22:56                30 svchost.exe
               2 File(s)             60 bytes
               2 Dir(s)  29.534.883.840 bytes free

The second rule is: always check the process name has no spaces nor strange characters.

The third rule is: always check the there is no two process with names alike.

You may find Daphne task manager an interesting tool for inspecting processes running in your Windows operating system.


www.DRK.com.ar - Copyright 2002-2017 by DRK