Registry Monitor comparison

As regards BKDR_GWBOY.K and the key HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers, Trendmicro states the IP address the trojan communicates to, and so I traced it and here is the result :-

Tracing Route to 61.178.77.108 :-
Hops 1 to 9 removed for security purposes, and then ...
10) core1-gig10-1.kingston.ukcore.bt.net, 194.72.3.65 (Timings 91 42 39)
11) core1-pos5-3.ealing.ukcore.bt.net, 195.99.120.186 (Timings 49 46 45)
12) transit1-pos5-0.ealing.ukcore.bt.net, 194.72.17.122 (Timings 72 84 72)
13) t2c1-p1-0.uk-eal.eu.bt.net, 166.49.168.13 (Timings 43 45 45)
14) t2c1-p4-0.us-ash.eu.bt.net, 166.49.164.110 (Timings 182 148 313)
15) 12.119.141.33 (Timings 367 445 253)
16) tbr1-p013901.wswdc.ip.att.net, 12.123.217.9 (Timings 126 138 141)
17) tbr1-cl4.sl9mo.ip.att.net, 12.122.10.30 (Timings 136 186 189)
1 tbr2-cl2.sl9mo.ip.att.net, 12.122.9.142 (Timings 147 154 141)
19) tbr2-cl2.la2ca.ip.att.net, 12.122.10.14 (Timings 171 186 171)
20) gar1-p370.lsrca.ip.att.net, 12.123.199.242 (Timings 172 192 189)
21) 12.119.9.42 (Timings 204 222 21
22) 202.97.51.213 (Timings 702 488 43
23) 202.97.53.29 (Timings 497 435 444)
24) 202.97.38.142 (Timings 479 453 522)
25) 202.97.16.37 (Timings 466 466 46
26) 61.178.77.108 (Timings 528 504 -1)
27) 61.178.255.177 (Timings 465 498 501)
2 61.178.77.108 (Timings 477 504 -1)
29) 61.178.77.108 (Timings 475 474 504)
Trace for Host 61.178.77.108 is Complete

So it's a California address (perhaps), just before a whole load of unregistered IP addresses, and then the final node. This trace routine will usually fail on the last couple of hops to reach the destination, if the PC is a client machine (usually switched off). However, this node is up and ready 24/7, and looks to be a server of some sort !!! I'm trying to find an open port on it now. Interesting stuff.

 

First of all, lets celebrate that we are past 250 posts in this thread. Seems to be a hot topic!

Hmm, there are hundrends of such exotic locations which are not yet exploited by anybody. Let's not give hints to the script kiddies. I believe that we should only include/discuss keys which are already exploited, or were published somewhere, therefore most probably known in the hacker communities. You can not fight an expert hacker anyway: he will find one more hole which is still not covered. We should rather be fighting the avarage hackers by covering known holes. But I am open to discussion.

(Note that I will have a "long holiday" away from computer for aprox 2 weeks, so do not expect fast answers)
-hojtsy-

 

Enjoy your holiday, Hojtsy!

 

Yes, this thread is exceptional.

With the way I have my custom set in MJRW configured, I could nearly cover every executable on the system. But, as I have mentioned before, there are other ways into Windows PCs that don't use the registry. A lot of these are covered by programs such as Process Guard. But, when it comes down to it, every OS has holes, with oodles being concerned with buffer overflow attacks. I am on Secunia's email list, and there are lots of reports for vulnerabilities in all flavours of Linux, AIS and all sorts of other OSes. Security is going to be a lasting concern, and one which I hope MJRW helps with.

 

Two new keys coming from the new MJ RegWatcher:

1 2 3 4 5 6 7 8 9
S R P R T S G W M
M P G R T S A P J
- - - - - - - - + (K) HKLM\System\CCS\Control\lsa link
- - - - - - - - + (K) HK**\SW\MS\ole link

-hojtsy-

 

Hi,

I've read the entire thread, but didn't see a reference to Silent Runners.

 

Silent Runners is a .vbs program & requires additional files to run under Win9X. It monitors 48 items, listed HERE.

Is a program running under vbs *resistant enough* to monitor the registry against possible hacks? Also, how much of a hit does a vbs program put on system resources? These are sincere questions. I hope someone will answer.

 

Hi Bellgamin,

I'm sorry if I wasn't clear enough, because I had been reading on security topics for more than 14 hours in a row I didn't intend to qualify silent runners as a registry monitor, but only as a registry scanner and was curious how it's key set would hold against the excellent set from Registry Watcher.

I'll try to compare them with the latest version of MJRegWatchKeys.txt and post my results.

Edit (results added):

These are the differences I found between MJRegWatchKeys.txt and sr_launchpoints.html

10. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run NT4+
11. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell NT4+
32. HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ All
35. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit NT4+
38. HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute NT4+

43. [Local Fixed Disk]\AUTORUN.INF open=, shellexecute= All *
44. %WINDIR%\Start Menu\Programs\Startup W98
45. %WINDIR%\All Users\Start Menu\Programs\Startup W98
46. %USERPROFILE%\Start Menu\Programs\Startup NT4+
47. %ALLUSERSPROFILE%\Start Menu\Programs\Startup NT4+
48. %WINDIR%\Tasks

I also saw Andrew Aronoff releasing InUse Destroyer.vbs on 7 december which mentions the value PendingFileRenameOperations for Session Manager. MJRegWatchKeys.txt mentions filerenameoperations, but also watches the entire session manager key so PendingFileRenameOperations should probably also be covered.

According to the W2K RSK:

FileRenameOperations

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

Description

The FileRenameOperations subkey stores the names of files to be deleted when the system restarts.

The system adds this entry to the registry when a user or program tries to delete a file that is in use. The file names are stored in the value of this entry until the computer restarts and deletes the files.

Note:
The files identified by this entry are deleted before the system creates its paging files. This sequence allows the system to delete paging files from previous startups.

PendingFileRenameOperations

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Data type Range Default value
REG_MULTI_SZ File name pairs (There is no default value for this entry.)

Description

Stores the names of files to be renamed when the system restarts.

This entry consists of pairs of file names. The file specified in the first item of the pair is renamed to match the second item of the pair. The system adds this entry to the registry when a user or program tries to rename a file that is in use. The file names are stored in the value of this entry until the system is restarted and they are renamed.

Note:
Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Caution:

This entry is maintained by Windows 2000 for internal use only. Do not change the value of this entry.

Dr Watson
Don't know if you want to monitor the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ AeDebug key for debuggers. See http://support.microsoft.com/default.aspx?scid=kb;en-us;188296

Sysprep Mini-Setup Wizard http://support.microsoft.com/?kbid=321070

HKLM\SYSTEM\Setup

• Cmdline:REG_SZ:setup -newsetup -mini
• MiniSetupInProgress:REG_DWORD:0x1
• SetupType:REG_DWORD:0x1
• SystemSetupInProgress:REG_DWORD:0x1

NOTE: Riprep or Sysprep adds the -mini parameter.

HKLM\System\CurrentControlSet\Control\Session Manager
SetupExecute:REG_MULTI_SZ:setupcl.exe

Also HKLM\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\ Winlogon]
System"="any.exe This is already covered by the Winlogon key, but maybe the system value should also be added.

 

All of this is covered is MJ RegWatcher except #32, which will be added to post#1 soon.

43: not covered,
44, 45, 46, 47: covered by hardcoded values, not visible in the list,
48: not covered

New keys coming as always:

1 2 3 4 5 6 7 8 9
S R P R T S G W M
M P G R T S A P J
- - - - - - - - + (v) HKLM\System\CCS\Control\Session Manager\PendingFileRenameOperations link
- - - - - - - - + (v) HKLM\System\CCS\Control\Session Manager\environment\path
- - - - - - - - - (K) HKLM\SW\MS\Windows NT\CV\Shell Extensions\Approved link

-hojtsy-

 

Great. Thanks for the explanation.

 

I think I have found a problem with your list. You have put
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Shell Extensions\Approved
and listed MJRW as not covering this key. However, the key is actually
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
and this is definitely covered by MJRW.

When I do a Google search for both keys, yours returns 2 hits (one of which is the Symantec link) and mine returns 1060 hits. I think there has been a genuine typo here. I always check my keys with a double-quote wrapped Google search, to make sure I am not copying a typo.

By the way, thanks for explaining things to diginsight.

Best regards,

 

Another app possibly worth a mention is unhackme to the "see also" for RegRun, it uses a novel method of monitoring by looking at the underlying registry file on disk and comparing what it finds there to the results of calls via the API

It will be interesting to see if this evolves as a separate application or just gets folded into RegRun when the competitors come to the party and do the same style of checks.

For that matter I couldn't tell just be reading the RegRun feature list if this functionality is already in RegRun (you would hope so) or if the extra program was required. It would be interesting to know if the unhackme functionality is included in RegRun

Also for the System Safety Monitor entry, it isn't intended to be free, the beta versions are time locked. In the SSM support forum (here), there is a thread asking what the final price of SSM will be

 

Hi,

Just some others ones:

***MasterYourWindows***Very efficient anty-spyware tool:

http://piussoft.tripod.com/

***IstallSpy***Monitor any change in the registry but does not alert.
We have to see the log (with aspirin):

http://www.2brightsparks.com/freeware/freeware-hub.html

***ScoudrelSimulator***A tool to test your protection.
Disclaimer:it'll try to desactivate RegEdit and to add a startup entry.

http://www.geeksuperhero.com/scoundrelsim.shtml

But finally i prefer a vaccination or an immunisation of the system and the registry.
But monitoring Run keys is necessary for a high protection.

Regards

 

Unhackme functionality is not included in RegRun but will be included in RegRun Platinum version yet to be released. Hope this helps. To keep informed or questions concerning RegRun please visit http://www.greatissoftware.com/forums/

Thanks,

Chris

 

Hmm, neither was covered in v1.2.3.4. I see that it is covered now in the separately downloadable keylist. I'll fix this in post #1.

New keys are coming:
1 2 3 4 5 6 7 8 9
S R P R T S G W M
M P G R T S A P J
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Explorer link
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\System link
- - - - - - - - - (K) HK**\SW\MS\Windows\CV\policies\Network link

-hojtsy-

 

NEED REG>CLEANRE

Hi, I need good REGISTRY CLEANER, but have not good knowledge about comp/Can somebody help me if "TUNE-UP" utilies is good?Thankyou

 

Your post will probably be moved since it is off topic. I would post your question here https://www.wilderssecurity.com/forumdisplay.php?f=48.
While it is getting moved I say Registry firsy aid is good. It can be found at http:www.//rosecitysoftware.com or CCleaner at http://www.ccleaner.com/

Hope this helps,

Chris

 

Some more key will be added to the list:


1 2 3 4 5 6 7 8 9
S R P R T S G W M
M P G R T S A P J
- - - - - - + - - (K) HKCU\SW\MS\Internet Explorer\URLSearchHooks link
- - - - - - - - - (K) HK**\SW\MS\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN link (XP SP2 only)


I find the second key quite funny: there are already several keys at completely different locations in the registry controlling the policies and restrictions of Internet Explorer. And every time Microsoft thinks ups a new restriction or policy they find one more exotic location in the registry to hide the setting. This one was invented at XP SP2. Did they just simply put the key among the usual security settings of iexplorer? No! With this choice they are making the work of security monitors harder, and thus helping the malwares. On top of it, note that Microsoft Antispyware (GA) does NOT monitor this key. Ahh, the current one is definitely not the best of all worlds.

-hojtsy-

 

W32.Dopbot worm tampers with several not yet covered keys:

1 2 3 4 5 6 7 8 9
S R P R T S G W M
M P G R T S A P J
- - - - - - - - - (K) HKLM\SW\MS\Windows\CV\WindowsUpdate link
- - - - - - - - - (K) HKLM\SW\MS\Security Center link
- - - - - - - - - (K) HKLM\SW\Policies\Microsoft\Windows\WindowsUpdate link

-hojtsy-

 

Anyone here use or remember net commando lite/2000?.Im using that at the moment as a registry watcher , though im not exactly sure what keys it watches.I do know that it monitors autoexec.bat sys.ini etc.It also watches for modification/deletions/additions to wondows system folder.Anyone have experience comments about this old software?.Also has anyone had any trouble with mj registry watcher and boclean?.It keeps removing a boclean value and i have to reinstall boclean all the time , if i use it.
ellison

 

I recently released a program called RegDefend ( http://www.ghostsecurity.com ) and
I thanked you guys in the helpfile because this thread certainly helped me during the development of the program.

I just thought I should thank you guys again here, it is threads like this which make you understand how forums can work really well.

 

Looks interesting. Has anyone tested this new program out? Maybe in conjunction with ProcessGuard?

Thanks,
Rich

 

Hi Rich, I have not done any in depth testing of RegDefend but yes it does compliment ProcessGuard very well with very little overlap.
I have RegDefend on my Protection list with the default settings + allow intall driver & Services. Also Always permit in PG's security list.

HTH Pilli

 

Thanks for the feedback Pilli. I am going to give it a try. As always, it is great to hear from you and I want to thank you for your continued support. Have a great weekend!

Rich

 

I'm wondering if someone would help me to understand why regwatcher keeps changing values repeatedly (post 1 and 3) - thread has 105 views and not a single response: https://www.wilderssecurity.com/showthread.php?p=380071#post380071