csrss.exe anomalies, is this a rootkit?

I'm seeing a strange anomaly in some systems I support.

GMER flags the cdd.dll thread in csrss.exe, and when I run Process Explorer with Elevated Admin rights, I am:

  1. unable to view any loaded DLLs in either csrss.exe process
  2. unable to view actual thread start addresses (instead of winsrv.DLL and CSRSRV.dll, I see either 0x0 or !RtlUserThreadStart
  3. unable to view any csrss.exe thread's stack
  4. unable to suspend or kill any thread in csrss.exe
  5. Strings in memory show "Error opening process"

Photo

According to the 6th Edition of Windows Internals, this is what one would see in Process Explorer when trying to view the threads of "protected process"...

...Process Explorer is unable to show the Win32 thread start address and instead displays the standard thread start wrapper inside Ntdll.dll. If you try clicking the Stack button, you'll get an error, because Process Explorer needs to read the virtual memory inside the protected process, which it can't do.

However, csrss.exe is NOT a protected process. Also, even if were, one can normally still suspend "protected processes", which is not possible in this case.

For reference, this is what it normally looks like in Process Explorer...taken from a freshly installed system.

enter image description here

No other tool I've ran detects anything malicious. However, Process Hacker is able to access the threads, and they look like what I would expect to see...

enter image description here

2 things I know, I think:

  1. This is abnormal behavior (most other systems I look at give Elevated Admin full access to csrss.exe threads, strings, etc.)
  2. This seems consistent with rootkit-like hiding behavior. According to this quote from the book "Malware Analyst's Cookbook":

If a rootkit finds a reliable way to hide or prevent access to csrss.exe without causing system instability, then that could cause an issue. In fact, the author of CsrWalker found that some hackers tried to prevent CsrWalker from working by hooking ZwOpenProcess and preventing the detection tool from reading the memory of csrss.exe.

Can anyone explain why an Admin running PE with elevated rights would see these anomalies, other than an unknown rootkit?


Solution 1:

CSRSS is a standard Microsoft service: https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem

It is basically a intermediary function that goes between the userspace and kernelspace.

Having kernel level authority you cannot access it's memory map from a normal userspace program. This is a safety mechanism to prevent malicious programs from using the memory map of programs with access to kernelspace, such as csrss as a means to scan kernelspace memory looking for ways to gain authority escalation.

There is a widespread hoax that it is a virus or Trojan . This hoax is utilized by many unscrupulous sites who try to get you to download Trojans, Spyware or Adware in the attempt to remove it. NEVER download system scanners, or any executable files for that matter, from an untrusted website.