Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Monday, October 08, 2007

Task Scheduler Provides Malware Hiding Place

One of the least used features of Windows has been its control panel applet, Task Scheduler. In 2003, I added a feature to WinPatrol 6.0 which monitored Task Scheduler jobs and warned users if some kind of malware injected itself in the Scheduler list. In the past, I found few incidence's of malware using this as a method to run programs which might take over a system, replicate or just do nasty stuff. This has always surprised me since most Anti-Malware programs won’t alert users to newly created scheduled tasks jobs.

I have noticed more legitimate programs finally using Task Scheduler but unfortunately many obnoxious programs are also taking advantage of this poorly monitored launch location. There is a variant of the nasty Adware called “Lop.com” that now adds a program to the Scheduled Task list. Malware frequently creates file names using random letters like IS-HDKEUL.exe. Lop is distinguished by file names created by random words like “BASH ACE STUPID.EXE”, “EXIT FIVE GLUE.EXE, sometimes without spaces between the words.

Some recent detections to watch for in the Task Scheduler include:
RVHOST.exe – Yahoo Messenger Worm
At1.job – Multiple worms installed using old Windows vulnerability
BLASTCLNNN.EXE – Sohana/YahLover Worm
WUNAUCLT.EXE – Possible Zoih A Trojan
WINMDS.EXE – Porn Dialer Trojan
And many LOP type using file names created with random words.


Anyone who reads this Blog knows how I feel about AutoUpdates, especially when they run in the background all the time. The Task Scheduler is an ideal place for autoupdate programs. These programs shouldn’t run constantly but it couldn’t hurt to have them scheduled to check for updates on a regular basis and then shutdown.

Some of the annoying auto updaters that need to be moved to Task Scheduler come from Google, Adobe and InstallShield which looks for updates of any programs that used InstallShield as their setup package.

According to recent requests for PLUS Info, the following are now using Task Scheduler.
MPCMDRUN.EXE – Windows Defender
SOFTWAREUPDATE.EXE – Usually Apple/iTunes/Quicktime
SYSTEMOPTIMIZER.EXE – TuneUp Software GMBH
MSFEEDSSYNC.EXE – Microsoft IE7 RSS Support
WALIGN – Window 98 File Optimizer
MSNTBUP.EXE – Microsoft Live Toolbar

Microsoft has made radical changes in Task Scheduler for Vista. This has encouraged many developers to take advantage of its power. It also has appeared to provide a little better security so that malicious programs will have a harder time infiltrating systems this way. You’ll still be surprised by how many unnecessary services run here slowing you down when you least expect it.

You’ll definitely want to keep an eye on your Scheduled Tasks either by using WinPatrol or occasionally opening the Task Scheduler applet in the Windows Control Panel. It might help explain where that “Do you want to update…?” message appears to come from.

Labels: , , ,

Share on Facebook


1 Comments:

Anonymous Anonymous said...

GREAT ALERT, with helpful solutions to consider. Your article prompted me to write to Trend Micro Internet Security (my "protector") and ask if they have such a feature, and if so, how to enable it.
I alerted them to my "near miss"--when I was setting up a scheduled task, I happened to find a trojan (I suspect) scheduled for one-time only, July 12, 2008.
Thanks again for bringing up a neglected, easily checked issue (that WinPatrol takes care of, anyway!)

1:43 AM  

Post a Comment

<< Home