Obscure Wininet.dll Feature?
The Internet Storm Center relies on a group of Handlers[1] who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and ask for help. Indeed, why not request some help from fellow Handlers with broad experience? Yesterday, Bojan was involved in an incident with a customer and came back to us with this question:
"Did you already see this long list of domain names listed in C:\Windows\SysWOW64\wininet.dll
on Windows 10?"
$ strings -e l wininet.dll | egrep 'hr\.'
hr.com.eujuicers
hr.global
hr.prvikvadrat
hr.ak-varazdin
hr.stin
hr.pizzeriaamadeus
hr.silvergoldbull
hr.maskice
hr.perzeidi
hr.udruga-point
hr.tokic
hr.advance
hr.com.airbnb
hr.svijet-medija
hr.autoskole
hr.kub
hr.slink
hr.com.cevo
hr.mall
hr.autoskola
hr.blablacar
hr.abpis
hr.audion
hr.from.brunohenc
hr.orkestar-krizevci ...
Immediately, other handlers started to check in their own labs and reported the same finding. Bojan, based in Croatia searched for the ".hr" TLD. I searched for ".be":
$ strings -e l wininet.dll |grep "be\." be.slimmerbouwen be.fanjoe be.buderus-family be.loanstreet be.de-spil be.maximdeboiserie be.intux be.lafosseobservatoire be.rubendv be.rigartmichael be.eliott be.pgtb be.kgm-irm be.psncardplus be.carroarmato0 be.poollicht be.mths be.nord-sud be.centralpoint ...
Guy did the same test and reported that his copy of the DLL has 47881 Unicode strings! We tested several Windows 10 systems and all of them had the same kind of strings in wininet.dll, so Bojan's one was not compromised.
What is this DLL? wininet or "Win32 Internet Extensions" is used to allow programs to interact with the Internet. It provides well-known API calls like:
InternetOpenURL InternetReadFile HTTPOpenRequest
You can imagine that it's being used by a lot of processes and applications. Note that you can list which processes loaded a specific DLL with the following command:
C:\Users\REM>tasklist /m wininet.dll Image Name PID Modules ========================= ======== ============================================ taskhostw.exe 4576 wininet.dll explorer.exe 4964 WININET.dll ShellExperienceHost.exe 4004 WININET.dll SearchUI.exe 4368 WININET.dll RuntimeBroker.exe 5192 WININET.dll Fiddler.exe 7048 WININET.dll WinStore.App.exe 2036 WININET.dll RuntimeBroker.exe 64 WININET.dll
Let's come back to the list of suspicious domains. What did we find? There are domains from many different TLDs. Some belong to small companies, others belong to big players within different domains of activity, and no relation between them. What we found is that many of them appear to be preloaded HSTS domains. The Chrome browser does this and has a hardcoded list of domains sites as being HTTPS only[3]. Does Microsoft implement the same within wininet.dll?
Our next step was to start debugging the DLL to learn more about these domains. They are passed to a function called IsHostInBlocklist()
, which is in turn called from two separate locations CServerInfo::DetermineStrongCryptoState()
, and CServerInfo::DetermineFalseStartState()
.
This function IsHostInBlockList()
is used by interesting API calls but through a deep list of functions:
At this time, we are still investigating and trying to understand the purpose of those hardcoded domains and functions. They are listed in the DLL symbols[4] but no documentation was found. If you have more information, or if you are working for Microsoft, please share your findings with us!
[Update 1]
Benjamin Delpy[5] contacted us to give some information. The DLL has two lists of domains:
- A list of domains that ask for an SSL connection by default (tested through the function
DetermineStrongCryptoStart()
) - A list of domains that are not compatible with TLS False Start[6] (tested with
DetermineFalseStartState()
)
According to Benjamin, the goal of IsHostInBlockList()
changed with time but Microsoft kept the name.
[1] https://isc.sans.edu/handler_list.html
[2] https://docs.microsoft.com/en-us/cpp/mfc/win32-internet-extensions-wininet?view=msvc-170
[3] https://hstspreload.org/
[4] https://lise.pnfsoftware.com/winpdb/8B274E3115F9D58AB6E0DCF4CA336C86E4E1866AE7E801860B5F2876FAE48E24-wininet.html
[5] https://twitter.com/gentilkiwi
[6] https://tools.ietf.org/id/draft-bmoeller-tls-falsestart-00.html
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago