How does RD protect against Ruin/Ru1n etc?

Discussion in 'Ghost Security Suite (GSS)' started by TopperID, Sep 14, 2005.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Some malware appears to create Registry keys such as:-

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

    or variants like ...CurrentVersion\Ruin, where it places executable files in order to auto start at bootup.

    I'm just wondering how RD protects in these situations. Obviously the 'Run' key will be protected, but it does not seem to cover 'CurrentVersion\Ru1n'. Does the malware have to knock out the 'Run' key in order to use Ruin/Ru1n etc?

    How does this work in practice?
     
  2. You would have to add the following rules:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\* | | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | test | 1

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run\* | | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | test | 2
     
  3. passing thru

    passing thru Guest

    Correction for the second rule:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\* | | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | test | 2
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  5. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Wouldn't you be better off using only the CREATE KEY, MODIFY KEY options as a trigger?

    It seems you would be prompted to death using those rules with SET VALUE, DELETE VALUE also (wildcards still throw me off).

    Looking quickly it looks like it installs a new DLL that creates and looks to ru1n instead of run or does it alter the existing run key into ru1n? Not clear on that.

    How often are new keys like unwanted "ru1n" or real legit one created/modified in those sections?

    If the answer is very rarely, then wouldn't create/modify key suffice and create less prompting while still providing protection?
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    That's what I was thinking - how to protect against this type of threat without seriously affecting normal computer use.
    Well I don't think its a .dll, since it has an .exe extension. If it was a .dll it would not be autostarted by that key, it would be incorporated into another process that was already autostarting.
    I'm not clear on that either!

    As I said I've seen several of these malwares recently (another one used 'Ruin' as the key) and it does seem to be a way of completely negating RD's protection against autostarting from the Registry.

    Unless I am misunderstanding this!
     
Thread Status:
Not open for further replies.