×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security, hacker detection & forensics FAQ

Securing Desktops

Checking for incursions in the Registry with standard Windows utilities by jnicks
Posted: 23 Aug 02

          Securing Desktops from Registry Altering Worms

Much of the attention of the InfoSec community effort goes towards networks and servers, perhaps that is because they do not have a reasonable chance of affecting windows security holes. This is an intersting approach as one could say, taking it to the other extreme,

  1. If all desktops, user systems, were totally secure, a corrupted server or net would not matter half so much.
  2. As long as desktop security is very bad there will be zombies attacking servers and the net and the security of networks and servers becomes impossible, or at least far, far more difficult and expensive.


There has been little attention to simple things that can be done to improve Desktop resistance to viruses and worms, other than expensive, unreliable, cranky integrated Anti-Virus applications.

An alternative: What follows is a part of making the windows desktop more secure and able to alert others if they have been affected by many viruses or worms.


  1. Many viruses and worms alter portions of the Registry in a highly predictable way.
  2. Any desktop can trivially get its registry keys  with standard MS programs.
  3. Any desktop can replace its registry keys.  with standard MS programs.
  4. If certain keys have been altered in certain ways, the desktop should alert its user to get assistance.  almost entirely with standard MS programs.


In short, many networks and users have had failures and suffered damage that could have been caught and much damage prevented almost entirely with standard MS programs.  In a word, pointlessly.


Having a desktop check its registry for comomn registry alterations takes a second, maybe two on loder system.  It is so quick it can be


  1. Run at bootstrap time.
  2. Scheduled hourly
  3. Run at NT/Logon time
  4. Run at shutdown.



Getting Registry Values.


To get registry keys, either in DOS at footstrap time, or in Windows, enter

  RegEdit /E filename key

as in (all one line)

RegEdit /E regrun.dat HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


   There is a RegEdit usage screen at the bottom.


Now many viruses alter just that key.  Even just using RegEdit one can easily

  1. Dump a key or set of keys
  2. Compare them against a backup copy
  3. If they differ,

    1. Alert the user
    2. Stop the Logon or BootStrap



----------------------------------------------------------------------

Detail


This is clunky as I am restricting myself to MS utilities which are very limited.  Your programmer could do better in ten minutes, or you should be able to get a package for $10/seat.
(Regedit line is one line to \Run)

RegEdit /E regrun.dat HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

fc regrun.dat regrun.sav>comp.dat
find /C "****" comp.dat
if errorlevel 1 goto OK

: replace the offending area
RegEdit /D HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
RegEdit /I regrun.sav

  rem Warning or halt batch statements

:OK
  rest of batch file.


The MS FC command, file compare does not return an errorlevel code, but Find does, a 1 for 'not found', so we run a FC to generate a change list and then FIND the asterisks which will indicate there was a change.

If there was a change we find the aserisks and the ERRORLEVEL is zero, which is the problem state.  So we check for ERRORLEVEL 1, which indicates no asterisks and therefore an equal compare.

It would be a lot easier if MS returned a code from FC.  Did I say the words "Shabby design"? No I did not.

Ergo: We can check for various viruses that alter the registry, a tiny bit less than half of them, right now, with MS utilities, on logon, at bootstrap, periodically or shutdown.

So, why are not you doing it?  We are, but we use RegCheck, our utility that does just the above, faster.


To be complete one should check all the RUN keys

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce


and on multiuser or networked systems,


   HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
   HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Runonce



This is getting a little lengthy for a BAT file, so a utility written for this purpose might be a good idea.  But the important thing is that it may be done for all Windows users right now.


Here's a little list of Registry altering viruses as of August 2002

  Alcarys      Dotor        Monopoly      Storielle
  Aplore       ElKern       Music         Surnova
  Argen        Fireburn     Mylife        Taripox
  Babylonia    Gibe         Navidad       Tettona
  BadSector    Gigger       Newbiero      Timofon
  BadTrans     GOP          Nymph         Timofonica
  Benjamin     Hooker       Porkis        Triplesix
  BleBa        Hydra        PrettyPark    Tune
  Borzella     Iestart      Pri           Updater
  Brit         Kak          Qaz           VBSWG
  Britney      Keyluc       Rede          Vote
  Bubbleboy    Kitro        Redlof        Welyah
  Carrytone    Klaz         Roach         WorldCup
  Chick        Kletz        Shoho         Yaha
  CodeBlue     Klez         Sircam        Zacker
  Crazybox     Lavehn-a     Slip
  Creepy       Liac         Sonic
  Dandi        Linon        SQLSpida
  Dewin        LoveLetter   SShogiST
  Document     Maldal       SSIWG





   RegEdit command line USAGE screen

REGEDIT [/L:system] [/R:user] filename1
REGEDIT [/L:system] [/R:user] /C filename2
REGEDIT [/L:system] [/R:user] /E filename3 [regpath1]
REGEDIT [/L:system] [/R:user] /D regpath2

  /L:system       Specifies the location of the SYSTEM.DAT file.
  /R:user         Specifies the location of the USER.DAT file.
  filename1       Specifies the file(s) to import into the registry.
  /C filename2    Specifies the file to create the registry from.
  /E filename3    Specifies the file to export the registry to.
  regpath1        Specifies the starting registry key to export from.
                  (Defaults to exporting the entire registry).
  /D regpath2     Specifies the registry key to delete.






Back to Security, hacker detection & forensics FAQ Index
Back to Security, hacker detection & forensics Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close