Oct 26 2015
It is extremely difficult to trace back from a running process to determining how that process was started, let alone installed. svchost.exe makes things even more difficult by allowing a DLL to attach itself to a common executable, rendering the image path meaningless. Even the original command-line is useless as it does not contain any information that can be used to tie the process back to the service entry that was used to launch it.
The best I can do is to enumerate all the DLL's that have been attached to the process, then try to cross-reference each one against the service registry entries. I could also look for the resource version information in each DLL, checking for code that has been AuthentiCode signed and flagging "untrusted" modules.
It is probably more realistic to focus on the outbound data connection to the remote server, comparing them to a database of trusted servers. I can capture the outbound data streams to suspect servers and present the data for inspection.
Chasing down the program binaries is best left as an investigative step once a suspect server has been identified.
I do not have the full domain names when the connection is captured, I have only the raw IP address. The WhoIs database is of very limited use for any servers that are referenced by IP address directly. I can do a couple things to try to match an IP address to an owner. I can try to capture all DNS lookups and keep an internal table of hostnames and addresses. I can try to do a local reverse lookup from IP address to hostname in the user mode Control program. I can try to open an HTTPS connection to the IP address, hoping to retrieve a certificate with a registered domain name.
I can then augment these resources with my own master database that I provide from a cental public server. Users can supply moderated information on connections to provide a trust level for undocumented servers. There is probably not much value in trying to track "evil" servers, as they are likely to migrate to new IP addresses faster than I can update the database. It would be more effective to track trusted servers, which are more likely to remain unchanged.