suggestions for new ghst entries

Discussion in 'Ghost Security Suite (GSS)' started by dvk01, Jun 14, 2005.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

    & HKCU & HKR software\classes\clsid as well

    as warn only of modifying/creating keys & values to help stop unwanted toolbars etc putting entries there or would that give too many alerts in normal use

    I know that the majority of entries in there are harmless but annoying and I had a little accident unpacking some malware which deposited soem toolbar files on my computer and several entries in the software\classes\clsid sections of registry and it's annoying having to manually clean them up when regdefend would warn me in the first place in future "accidents"
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system needs to be wildcarded as a warn as it looks like the latest baddies are dropping subkeys under system to run

    for Tony & others with access at MWR see the thread trusted crappie in spyware & riskware
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    HKCR\CLSID should cover all that, but it's just not practical, as most sofware you install registers (often a great deal of) subkeys there, just like it does to to HKCR\Interface and HKCR\TypeLib
     
    Last edited: Jun 14, 2005
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Derek,

    System in fact is a value in the Winlogon subkey, not a subkey itself

    Could you give us an example of what you're referring to, please?
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    unless I'm reading it wrong

    these baddies are adding values to a system subkey under winlogon

    http://forums.net-integration.net/index.php?showtopic=31184&st=15&#entry150422

    http://malware-research.co.uk/index.php?topic=213.0

    or am I reading it wrong and they are just changing or adding a value to system and the existing reg defend entries will warn on that
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    No, it really is about a System value in the Winlogon subkey (which is covered). It looks like this:


    If it were a 'System' subkey it would look exactly the way you initially posted it yourself:

    But the latter doesn't exist.
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thanks Tony

    It's nice to know the regdefend will prevent this one as it's a right pain to track down & fix
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're very welcome, Derek.

    Let me add I did try this startup method myself, but I never was able to make it launch an application at boot...

    A taskman value in Winlogon really does cause an application to launch , although this is almost completely undocumented...
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    they know we have the documented ones covered so they are trying everything that might work and this system one is a right pain as only silent runners sees it
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yet more work for Merijn, I should think... :(

    We may want to point him to SilentRunners, if he hasn't already been studying that script.
     
Thread Status:
Not open for further replies.