{"id":1974,"date":"2013-07-04T13:50:08","date_gmt":"2013-07-04T13:50:08","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1974"},"modified":"2015-12-18T17:00:50","modified_gmt":"2015-12-18T17:00:50","slug":"the-typographical-and-homomorphic-abuse-of-svchost-exe","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/07\/04\/the-typographical-and-homomorphic-abuse-of-svchost-exe\/","title":{"rendered":"The typographical and homomorphic abuse of svchost.exe"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>I have re-visited this topic <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/12\/18\/the-typographical-and-homomorphic-abuse-of-svchost-exe-and-other-popular-file-names\/\">here<\/a>.<\/p>\n<p><strong>Old post<\/strong><\/p>\n<p>Probably the most abused file name in the history of a mankind is svchost.exe. The number of its look-alike variations created by the perverse mind and deprived imagination of malware authors is staggering.<\/p>\n<p>The following list is a testament to&#8230; oh, whatever&#8230;\u00a0 it&#8217;s just a few examples extracted from a list of IOCs \ud83d\ude42<\/p>\n<ul>\n<li>svchost<\/li>\n<li>svch0st<\/li>\n<li>svchosts<\/li>\n<li>scvhost<\/li>\n<li>svhost<\/li>\n<li>svohost<\/li>\n<li>svchest<\/li>\n<li>svchost32<\/li>\n<li>suchost<\/li>\n<li>svshost<\/li>\n<li>svchast<\/li>\n<li>svcnost<\/li>\n<li>syshost<\/li>\n<li>svchcst<\/li>\n<li>svchost<\/li>\n<li>svchon32<\/li>\n<li>svchost2<\/li>\n<li>svcchost<\/li>\n<li>sxhost<\/li>\n<li>svchost31<\/li>\n<li>syschost<\/li>\n<li>svch\u00eest<\/li>\n<li>synchost<\/li>\n<li>svchpst<\/li>\n<li>svohcst<\/li>\n<li>svghost<\/li>\n<li>svchostms<\/li>\n<li>svchostxxx<\/li>\n<li>suchostp<\/li>\n<li>suchosts<\/li>\n<li>smsvchost<\/li>\n<li>svcehost<\/li>\n<li>svphost<\/li>\n<li>svchostdll<\/li>\n<li>svvhosti<\/li>\n<li>sach0st<\/li>\n<li>swchost<\/li>\n<li>servehost<\/li>\n<li>svsh0st<\/li>\n<li>svchsot<\/li>\n<li>scchostc<\/li>\n<li>snvhost<\/li>\n<li>scchost<\/li>\n<li>svvhost<\/li>\n<li>svahost<\/li>\n<li>svcinit<\/li>\n<li>ssvch0st<\/li>\n<li>svchots<\/li>\n<li>svdhost<\/li>\n<li>svchostv<\/li>\n<li>scvchusts<\/li>\n<li>svchostxi<\/li>\n<li>st#host<\/li>\n<li>svchost3<\/li>\n<li>scanost<\/li>\n<li>schosts<\/li>\n<li>svchost0<\/li>\n<li>svchost64<\/li>\n<li>svch\u00f6st<\/li>\n<li>s_host<\/li>\n<li>svchost&#8221;<\/li>\n<li>svphostu<\/li>\n<li>svchostc32<\/li>\n<li>szchostc<\/li>\n<li>svehost<\/li>\n<li>srvchost<\/li>\n<li>svchosts32<\/li>\n<li>scvhosv<\/li>\n<li>ssvichosst<\/li>\n<li>svrhost<\/li>\n<li>svichosst<\/li>\n<li>svchoxt<\/li>\n<li>svchost_cz<\/li>\n<li>schost<\/li>\n<li>ssvchost<\/li>\n<li>sv\u00b1hest<\/li>\n<li>shhost<\/li>\n<li>svchostt<\/li>\n<li>svchosf<\/li>\n<li>svchost\u00fe<\/li>\n<li>sachostp<\/li>\n<li>sachosts<\/li>\n<li>sachostx<\/li>\n<li>swhost<\/li>\n<li>scvh0st<\/li>\n<li>svcroot<\/li>\n<li>svschost<\/li>\n<li>svchosting<\/li>\n<li>sachostc<\/li>\n<li>sachostw<\/li>\n<li>svshoct<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update I have re-visited this topic here. Old post Probably the most abused file name in the history of a mankind is svchost.exe. The number of its look-alike variations created by the perverse mind and deprived imagination of malware authors &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/07\/04\/the-typographical-and-homomorphic-abuse-of-svchost-exe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9,18],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1974"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1974"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1974\/revisions"}],"predecessor-version":[{"id":3434,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1974\/revisions\/3434"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}