The Internet Storm Center relies on a group of Handlers[1] who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and ask for help. Indeed, why not request some help from fellow Handlers with broad experience? Yesterday, Bojan was involved in an incident with a customer and came back to us with this question: "Did you already see this long list of domain names listed in
Immediately, other handlers started to check in their own labs and reported the same finding. Bojan, based in Croatia searched for the ".hr" TLD. I searched for ".be": $ strings -e l wininet.dll |grep "be\." be.slimmerbouwen be.fanjoe be.buderus-family be.loanstreet be.de-spil be.maximdeboiserie be.intux be.lafosseobservatoire be.rubendv be.rigartmichael be.eliott be.pgtb be.kgm-irm be.psncardplus be.carroarmato0 be.poollicht be.mths be.nord-sud be.centralpoint ... Guy did the same test and reported that his copy of the DLL has 47881 Unicode strings! We tested several Windows 10 systems and all of them had the same kind of strings in wininet.dll, so Bojan's one was not compromised. What is this DLL? wininet or "Win32 Internet Extensions" is used to allow programs to interact with the Internet. It provides well-known API calls like: InternetOpenURL InternetReadFile HTTPOpenRequest You can imagine that it's being used by a lot of processes and applications. Note that you can list which processes loaded a specific DLL with the following command: C:\Users\REM>tasklist /m wininet.dll Image Name PID Modules ========================= ======== ============================================ taskhostw.exe 4576 wininet.dll explorer.exe 4964 WININET.dll ShellExperienceHost.exe 4004 WININET.dll SearchUI.exe 4368 WININET.dll RuntimeBroker.exe 5192 WININET.dll Fiddler.exe 7048 WININET.dll WinStore.App.exe 2036 WININET.dll RuntimeBroker.exe 64 WININET.dll Let's come back to the list of suspicious domains. What did we find? There are domains from many different TLDs. Some belong to small companies, others belong to big players within different domains of activity, and no relation between them. What we found is that many of them appear to be preloaded HSTS domains. The Chrome browser does this and has a hardcoded list of domains sites as being HTTPS only[3]. Does Microsoft implement the same within wininet.dll? Our next step was to start debugging the DLL to learn more about these domains. They are passed to a function called This function At this time, we are still investigating and trying to understand the purpose of those hardcoded domains and functions. They are listed in the DLL symbols[4] but no documentation was found. If you have more information, or if you are working for Microsoft, please share your findings with us! [Update 1] Benjamin Delpy[5] contacted us to give some information. The DLL has two lists of domains:
According to Benjamin, the goal of [1] https://isc.sans.edu/handler_list.html Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler Jan 21st 2022 |
Thread locked Subscribe |
Jan 21st 2022 4 months ago |
I never thought I'd see the F-Bomb in a Windows DLL.
com.powersergthisisthetunnelfuckyouscott com.powersergthisisthewebsitefuckyouscott com.joemotherfuckingjohnson su.fuckobr website.bestmotherfucking dk.fuckup com.fuckobr ru.fuckav org.fuckobr nz.clusterfuck de.fuck-your-false-positive cf.fuckcf net.fuckobr ch.fucklife com.thefuckingtide xyz.youcanfuckoff com.fuckcie date.fuckonthefirst HEAD[0])abbrjuan(198leshtwin</i>sonyguysfuckpipe|- |
Anonymous |
Quote |
Jan 21st 2022 4 months ago |
Sign Up for Free or Log In to start participating in the conversation!