Tested against Scoundrel Simulator

Discussion in 'Ghost Security Suite (GSS)' started by hojtsy, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi,

    I tested it against Scoundrel Simulator which commits four registry changes commonly used in malicious softwares. (Well yes I know the test tool was made by a different vendor, but it seems to fit for the task anyway.) The default keyset of RegDefend only covers one out of these four changes. So the test ran as expected: one of the changes was blocked, and other 3 succeeded. I will also test it with the specific keys added to the protection list. [Edit: after adding the specific keys to the protected ones, RegDefend blocks the registry attacks of this test app.]
    -hojtsy-
     

    Attached Files:

    • ssim.gif
      ssim.gif
      File size:
      44.1 KB
      Views:
      381
    Last edited: Feb 22, 2005
  2. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Hey there,

    Do you by any chance know what registry keys were altered?

    Will download the program and test it out.

    Kind Regards
    ----

    Found 1.. For stopping the modification of the Registry.....

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    Found another.. For stopping the loading of Control panels

    HKEY_CURRENT_USER\Control Panel\don't load
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load

    And for Internet Options.....
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
     
    Last edited: Feb 21, 2005
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Just by blocking everything, it seems to try to set more than 4 items.
     

    Attached Files:

  4. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    So based on what you are finding, is there a recommendation for additional custom rules to help us DEFEND our boxes?
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Thanks for testing hojtsy :) , if you could list the keys needed to be protected for this test program and any others I will add them to the next build of RegDefend.
     
  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    As it was discussed on some posts, registry monitoring is an impoertant function to increase the security.
    I've done a little example of one of this utility and a tool to test it:
    https://www.wilderssecurity.com/showpost.php?p=346815

    Bur many of these tools (free or not) could be bypassed.
    With Scoudrel Simulator for instance, only Spysweeper detects the "starpup user" entry, but not Tea-timer, RegDefend, Master your Windows or startup Inspector (RegDefend is the more rapid for the other test).


    And Scoudrel Simulator is a basic test utility.
    There's some methods used by rootkits in order to bypass some registry protections.

    Consequently, Having RegDefend with monitoring and BLOKING features could be more interesting.
    In fact, with this kind of blocking features, any new key could not be added without our permission (new soft, update etc...).


    In any case, congratulation for RegDefend and good luck in your own business.

    Regards
     
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    I'm wondering now if you have seen hojtsy's impressive Registry Monitor comparison thread where there is a nice list of keys to monitor....
    I had assumed that you already had or that someone would have told you by now

    So just in case and at the risk of pointing out the obvious, the link is above
     
  8. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Yes I know of that thread, however some of the information as to why the specific keys are there is missing. I don't necessarily want to add rules for items which aren't that important and which may generate a lot of extra confirmations to the end-user, which is why a lot of them will need to undergo some testing. :)
     
  9. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    As rodsoto already found the not-yet-covered keys abused by Scoundrel Simulator are:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    HKCU\Control Panel\don't load
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load
    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
    After configuring these keys, the registry attacks of Scoundler Simulator, and of the scoundlers it simulates, are blocked. During adding these keys I found that it is very tiresome to add many keys, please try to improve this part of the GUI (such as adding the key by name instead of browsing the tree).

    Each key in that list has a link going to a report about a trojan abusing that specific key. That is the answer to the "why". :D Sorry but that is the most I can provide for now. I won't have the time to explain/research/document the usage/format/syntax/dangers of every one of those many keys. Especially considering that I am doing this for free. Even the presence of the list should provide a solid ground for further investigations, and after that your best friend is google. (Hmm makes me remember of the author of WinPatrol asking me some kind of tutorial for my key list. After I declined he didn't put any new one of those keys into WinPatrol.)
    Users of MJ-RegWatcher already participated in the testing for the number of confirmations dialogs for that key list. Why not ask them? For me after proper configuration 95% of those keys generated zero warnings when I was not deliberately (re)configuring something.
    -hojtsy-
     
    Last edited: Feb 21, 2005
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I am one of those users and it hasn't caused me much pain, I do get quite a few alerts about services being created, but that is by choice

    Seeing as RegDefend has groups it wouldn't be particularly hard to have a look at the MJRW different list sets ( light, default, medium, high, highest or custom ) and make your own set of groups that provides something similar

    If the groups can be flagged to be enabled/disabled then you can deliver a product with the full list configured and make it easy to become more/less paranoid about what is being monitored

    As far as being cautious about what is being added I understand where you are coming from but configuration (enable/disable groups) and operational flexibility (imp/exp key and app data) will allow you to satisfy the most picky of us to the ppl that want it to work out of the box and then let them learn and slowly enable more features (without necessarily needing to deal with the complexity)

    My 3p
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Great idea. I like it.

    Rich
     
Thread Status:
Not open for further replies.