7 Ways to Easily Identify SVCHOST.EXE Service Name

Standard

From: https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/


Other than commonly using the Windows Task Manager to end a hung task or process, it is also very useful to quickly check the active running programs on your computer. You may noticed that there is quite a number of svchost.exe listed in the processes tab and is probably wondering what is it and how come there are so many of them running? Basically SVCHOST is used by Windows to run multiple Windows services and the reason why Windows services uses svchost.exe to run is because they are in DLL files and not an independent executable (.EXE) file. If you didn’t know, Windows Services is one of the startup method in Windows where it can automatically run in background without even requiring the user to login to their account in Windows, unlike other startup method where the programs will only run when the user is logged in to Windows.

svchost.exe in task manager

Normally users would ignore the existence of svchost.exe listed in the Windows Task Manager and only look for some dubious image name. This is where some malware takes advantage by using the file name as svchost.exe, hoping that you would not notice its presence. One easy way to find out a suspicious svchost.exe is by looking at the user name that is used to run the svchost.exe. If the svchost is ran by SYSTEM, NETWORK SERVICE or LOCAL SERVICE, then it should be legitimate but if it is ran under YOUR user account, then you need to investigate if the svchost.exe file is from another location than C:\Windows\System32\. If you’d like to identify the services that are ran behind the svchost.exe, here are 7 ways to do it. 1. Windows Task Manager

Starting from Windows Vista, Microsoft has made it easy because the Task Manager is capable of showing you the service name associated with the svchost.exe process. To run windows Task Manager, right click on the task bar and select “Start Task Manager”. Alternatively you can also simultaneously press Ctrl+Shift+Esc. Then all you need to do is right click on the svchost.exe process and select “Go to Service(s)” where you will automatically jump to the Services tab and the service name being highlight.

svchost.exe services

You are able to start or stop the service by right clicking on the service name. The problem is, some virus disables the Windows Task Manager by changing a registry value and it is important to know other methods of identifying the svchost.exe service name.


2. Command Prompt

Another method to reveal the service that is associated with the svchost.exe is by using tasklist.exe from command prompt. In command prompt, type the command below, hit enter and the service name will be displayed at the right side of the tasklist output.

tasklist /svc /fi “IMAGENAME eq svchost.exe”

Tasklist svchost.exe

There are some limitations in using the tasklist.exe command line tool because it only the cryptic service name, not the display name or description. Just like Task Manager, command prompt too can be disabled from running by malware which is why sometimes it is good to have third party tools in hand.


3. Process Explorer

Process Explorer is the grandfather of all task managers. So far it seems to be the most comprehensive tool to control and view the information associated with svchost.exe. Simply double click on the svchost.exe in Process Explorer and click on the Services tab.

Process Explorer services

First you get to see all the services registered in the process that you’re viewing, then it shows the service name, display name and the path to do DLL file that was loaded. You are also able to configure the permissions for the service plus stopping, restarting, pausing and resuming the service.

Download Process Explorer 


4. Process Hacker

Process Hacker is another popular free and powerful open source task manager that is capable of showing and controlling the services from svchosts.exe process. Just like Process Explorer, double click on svchost.exe process and go to the Services tab. The list of associates services is shown and you can stop or pause the service. Double clicking on the service will bring up a more advanced property window to configure the permissions, startup type, error control and many more.

Process Hacker Services Properties

There are both installer and portable versions available including 32-bit and 64-bit builds.

Download Process Hacker 


5. Svchost Process Analyzer

Svchost Process Analyzer

Svchost Process Analyzer is a free and portable program that analyzes the svchost.exe and shows services that is associated with the process. Clicking on any ID on the top window will display the services at the bottom together with the DLL file and status. The description of the service will automatically refresh and shown at the top bar of the program. This tool can only display information but lack of control options.

Download Svchost Process Analyzer 


6. Svchost Viewer

Svchost Viewer

Svchost Viewer is another free and open source utility hosted at CodePlex that gives you the basic information such as service name and description. There are also two checkboxes to show if the service can be paused or stopped. If it can be stopped, click on the Service Control menu bar and select “Stop Selected Service”. A piece of interesting information shown in Svchost Viewer is the amount of data written and read.

Download Svchost Viewer 


7. Services In Svchost

Services In Svchost is a very simple program that simply shows the services in the svchosts.exe. There is no description, no control, or DLL file information. The only unique feature found in this utility is the ability to view the services on remote computers by entering the computer name or IP address.

Services in Svchost

There are requirements if you want to get the services on remote computer. Firstly it requires a user account that has a password set (empty password is not allowed) and the Remote Registry service must be manually started. Make sure the Windows Firewall is not blocking the connection. Once all this 3 requirements are met, you need to manually authenticate with the remote computer by accessing the shared folders. After authentication, simply enter the computer name and click Get Services button.

Download Services In Svchost 
Read More: 
https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/

49 total views, 2 views today

Researchers Find and Decode the Spy Tools Governments Use to Hijack Phones

Standard

From: http://www.wired.com/2014/06/remote-control-system-phone-surveillance/


 

whistleblower-inline

Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.

The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab in Canada, who say the findings provide great insight into the trade craft behind Hacking Team’s tools.

The new components target Android, iOS, Windows Mobile, and BlackBerry users and are part of Hacking Team’s larger suite of tools used for targeting desktop computers and laptops. But the iOS and Android modules provide cops and spooks with a robust menu of features to give them complete dominion over targeted phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can qlso enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

“Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target—which is much more powerful than traditional cloak and dagger operations,” notes Kaspersky researcher Sergey Golovanov in a blog post about the findings.

It’s long been known that law enforcement and intelligence agencies worldwide use Hacking Team’s tools to spy on computer and mobile phone users—including, in some countries, to spy on political dissidents, journalists and human rights advocates. This is the first time, however, that the modules used to spy on mobile phone users have been uncovered in the wild and reverse-engineered.

Kaspersky and Citizens Lab discovered them after developing new methods to search for code fragments and digital certificates used by Hacking Team’s tools.

The modules work in conjunction with Hacking Team’s core surveillance tool, known as the Remote Control System, which the company markets under the names Da Vinci and Galileo.

In a sleek marketing video for Galileo, Hacking Team touts the tool as the perfect solution for obtaining hard-to-reach data—such as data taken by a suspect across borders or data and communications that never leave the target’s computer and therefore can’t be siphoned in transit.

“You want to look through your targets’s eyes,” says the video. “While your target is browsing the web, exchanging documents, receiving SMS….”

Hacking Team’s tools are controlled remotely through command-and-control servers set up by Hacking Team’s law enforcement and intelligence agency customers to monitor multiple targets.

Kaspersky has tracked more than 350 command-and-control servers created for this purpose in more than 40 countries. While Kaspersky found only one or two servers in most of these countries, the researchers found 64 in the United States—by far the most. Kazakhstan followed with 49, Ecuador with 35 and the United Kingdom with 32. It’s not known for certain whether law enforcement agencies in the U.S. use Hacking Team’s tool or if these servers are used by other governments. But as Kaspersky notes, it makes little sense for governments to maintain their command servers in foreign countries where they run the risk of losing control over the servers.

Map showing the number of countries where command-and-control servers for the Hacking Team are currently being used.

In addition to the modules that were uncovered, Citizen Lab obtained from an anonymous source a copy of the lengthy user’s manual that Hacking Team provides customers. The illustrated document explains in detail how to build the surveillance infrastructure needed to deliver implants to targeted devices and to use the software tool’s dashboard to manage intelligence gleaned from infected computers and phones.

“This gives new visibility into the operational procedures of lawful intercept malware,” says Citizen Lab researcher Morgan Marquis-Boire. “Previous research has allowed us to understand how the software works. This allows us a holistic view of how this type of targeted surveillance is conducted.”

Image from Hacking Team's user manual showing the interface for managing hacked systems and data siphoned from them.

The modules and training manual all show that Hacking Team is well aware of the attention its products have received from researchers in recent years and has taken several steps to thwart attempts to understand how its spy tools work.

“They are well aware that their product may show up on the analyst chopping block at some stage, and they’re taking various steps to mitigate this risk,” says Marquis-Boire.

The Android spy module, for example, uses obfuscation to make it harder to reverse-engineer and examine the module. And before installing itself on machines, Hacking Team’s main spy tool has scouting agents that conduct reconnaissance to identify anything on a system that might detect it.

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems. Hacking Team asserts that this will uninstall and erase all traces of the tools, but Citizen Lab discovered that initiating a wipe on some mobile phones creates telltale signs. On a BlackBerry, for example, it causes the device to automatically restart. On Android devices, the uninstall can, under certain conditions, cause a prompt to appear onscreen asking permission from the user to uninstall an application called “DeviceInfo”—the name the Android spy tool uses for itself.

In addition to the variety of obfuscation measures the tools use, Hacking Team also advises customers to set up several anonymous proxy servers through which to route data stolen from victim machines. In this way, researchers and victims won’t be able to easily follow the path the data takes back to command servers. Oddly, Hacking Team borrows the logo of the hacktivist group Anonymous—an empty black business suit—to designate the anonymized proxy servers in its user manual.

Hacking Team borrowed the logo of the hacking group Anonymous to designate anonymized proxy servers in its user manual.

Hacking Team first developed its Remote Control System spy suite in 2001. Initially it was a free, open-source tool for conducting man-in-the-middle attacks and was used by hackers and security researchers alike. Soon, however, police in Milan contacted the two authors of the tool—Alberto Ornaghi and Marco Valleri—for help developing something to eavesdrop on Skype communications. Work on this tool evolved into RCS.

Hacking Team has long argued that its products are intended for lawful governmental interception only and that it won’t sell its products to repressive regimes and countries blacklisted by NATO. But its spy suite reportedly has been used to spy on the citizen journalist group Mamfakinch in Morocco and appears to have been used by someone in Turkey to target a woman in the U.S. who was a vocal critical of Turkey’s Gulen movement.

Indeed, the Android spy module that Citizen Lab uncovered was masquerading as a legitimate news app for Qatif Today, an Arabic-language news and information service that covers the Qatif region in eastern Saudi Arabia. The government of Saudi Arabia has faced off several times in the last few years against Shia protestors in the Qatif region who have demanded political reform from the Sunni government and the release of political prisoners.

Although the Citizen Lab researchers are careful to point out that they don’t know for certain that the Saudi government is using the Hacking Team tool to spy on political dissidents, circumstantial evidence shows this may be the case.

The malicious Qatif Today app was discovered after someone uploaded the file in March to the VirusTotal web site—a site owned by Google that aggregates several dozen antivirus scanners to detect malware. The file was signed with a bogus certificate that appeared to belong to Sun Microsystems. Citizen Lab found evidence that a Twitter account of interest to Shiites in Qatif may have been used to tweet a link to the malicious file to lure targets into downloading it onto their phones.

While Hacking Team’s core Galileo tool for spying on computers is valuable for governments, the mobile spy modules are particularly attractive to repressive regimes where activists and others use their mobile phones to organize and stay connected during protests.

Cops can install the phone implants directly onto a mobile device if they have physical access to it. But they can also install the implants if a user connects the mobile device to a computer—for example, to charge the device—and the computer is already infected with Da Vinci or Galileo.

The iOS spy module works only on jailbroken iPhones, but agents can simply run a jailbreaking tool and then install the spyware. The only thing protecting a user from a surreptitious jailbreak is enabling a password on the device. But if the device is connected to a computer infected with Da Vinci or Galileo software and the user unlocks the device with a password, the malware on the computer can surreptitiously jailbreak the phone to install the spy tool.

So far, the researchers haven’t uncovered any methods used for remotely infecting phones with the Hacking Team malware via a phishing attack or a malicious web site.

Citizen Lab points out in its report on the malware that it’s important to understand how Hacking Team’s tools work, since they are powerful weapons, no different from the types of tools used by nation states against one another. But in this case they’re employed by government customers not against other government targets but against ordinary citizens.

“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now being marketed for targeting everyday criminality and ‘security threats,’” they write. “An unstated assumption is that the entities able to buy these tools will use them correctly, and primarily for law enforcement purposes. As our research has shown, however, by dramatically lowering the entry cost on invasive and hard-to-­trace monitoring, it lowers the cost of targeting political threats” too.

655 total views, no views today

Hack Any Computer With An ip [MetaSploit]

Standard

From: https://slimshady90358.wordpress.com/2011/03/22/hack-any-computer-with-an-ip-metasploit/

Hello everybody! I am here to show you this magical tool called Metasploit that allows you to hack ANYunpatched computer with only it’s IP. Lets begin…

1.) First you need to download Metasploit. The most up-to-date version is FREE at metasploit.com.

2.) You need PostgrSQL for your database. Download here: http://www.postgresql.org/. Make sure you use all the defaults or Metasploit woun’t work!

3.) Now lets get down to buisness… After installing both tools, open up the PostgrSQL admin gui (start -> all programs -> PostgreSQL 9.0 -> pgAdmin III). Then right-click on your server (in the left hand box) and click connect. Remember to keep this window open the whole time. You will also need the pass you chose to use in step 5…

[Image: pgadmin.bmp]

4.) Time for some hacking! Go to start -> all programs -> Metasploit Framework, and then open the Metasploit gui. Let it load untill it look like this:

[Image: metasploit.bmp]

5.)Now, in the window type:

db_connect postgres:ThePassYouChose@localhost:5432

The first time you do this you will see lots of text flash buy. Don’t wory, this is normal.

6.)Type db_host to make sure you are connected correctally.

7.)Now type this:

db_nmap 000.000.000.000

Make sure you put the ip of the computer you are trying to hack in the place of 000.000.000.000…

7.) Now we get to the fun part; the automatic exploitation. Just type db_autopwn -t -p -e -s -b , watch the auto-exploitation start, go play Halo for a while, and then come back…

8.) After the exploitation is done, type sessions -l to see what the scanner found. If all went well, you should see a list of exploits.

9.) Now we get to use the exploits to hack the computer! If you will notice, all of the exploits are numbered, and they all have obvious names (i. e., reverseScreen_tcp). In order to use an exploit, type this:

sessions -i ExploitNumber

___________________________________________________________

The features of Metasploit are mutch like a rat. Once you get into someone’s computer, you can see their screen, controll their mouse, see what they type, see them, etc.

1,789 total views, 1 views today