Jump to content

Com Surrogate Issues


Recommended Posts

I recently started seeing multiple Com Surrogate entries when I bring up my Task Manager.  

My research tells me this is a potential problem and to run my antivirus program to determine what is causing the issue.  My ESET is not detecting any issues.  

Questions:

1.  Can I assume my system is safe if ESET is not finding anything?

2. Is there a way to eliminating the problem so I can be sure?

3. If the solution is to reload my OP System, do I download a new version or can I trust the back that is on my system?

Any input you can lend would be appreciated.

 

Link to comment
Share on other sites

  • Administrators

Are you experiencing any issues? COM Surrogate is a dllhost.exe process running on malware-free systems too.

image.png

Link to comment
Share on other sites

Unfortunately yes,  At the same time I started started seeing multiple COM Surrogates running, my security service advised me that my identity had been stolen.  Multiple issues with new credit have occurred.   I have that under control but don't want to go through the effort of resetting every thing is someone has a data logger or keyboard capture running in the background.

I reloaded my OP System once already on a clean/new drive.  The issue reoccurred a couple of weeks later.

Again, any insights you can lend would be appreciated.

Link to comment
Share on other sites

11 hours ago, RBoon said:

I reloaded my OP System once already on a clean/new drive.  The issue reoccurred a couple of weeks later.

One likely source of reinfection is your router/gateway is hacked or misconfigured.

Here's an example of COM based malware: https://codewhitesec.blogspot.com/2018/07/lethalhta.html . Detection of this can be had using the following YARA based behavioral rule:

Quote

sequence with maxspan=1m [process where event.type in ("start",
"process_started") and process.name : "mshta.exe" and
process.args : "-Embedding" ] by host.id, process.entity_id
[network where event.type == "start" and process.name : "mshta.exe"
and network.direction : ("incoming", "ingress") and
network.transport == "tcp" and source.port > 49151 and
destination.port > 49151 and source.ip != "127.0.0.1" and source.ip !=
"::1" ] by host.id, process.entity_id

https://www.elastic.co/guide/en/security/current/incoming-dcom-lateral-movement-via-mshta.html

The YARA rule in essence is monitoring mshta.exe start up execution. In this malware instance, svchost.exe starting it. Other monitoring activity is the use of a hidden localhost proxy server.

COM and DCOM malware is very difficult to detect once it gets installed. Your best bet in removal of whatever malware you have would be to contact Eset North America for malware removal assistance.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...