Results 1 to 3 of 3

Thread: Suggestion: Additional TeaTimer Registry Monitoring+Tracking

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    1

    Default Suggestion: Additional TeaTimer Registry Monitoring+Tracking

    TeaTimer already does a great job at detecting changes, though while seeing it in use in a live environment, there were a number of features that it could have to make it a much more valuable tool for dealing with new and unknown spyware/malware.

    Some spyware apps manage to insert themselfs into some unmonitored areas not caught by TeaTimer, i'll list the ones I identified below. Some may be impractical, such as services changes (Though these should not change often unless installing something, perhaps have a 'Temporarily Disable' menu item to allow programs to install without 10-15 alerts)

    1: Detect changes to additional registry start locations:

    * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    - Some spyware in the future may make use of this area to hook certan exe files and run their own in its place

    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\<AppInit_DLLs>
    - .DLL files can be added here to attach themselfs to any program (Such as Firefox) and hinder or modify operation
    - This is where some of the nasty malware hides, they have a copy of themselfs in every process, making it very difficult to manually remove before another instance reloads its self automatically.


    * HKLM\System\CurrentControlSet\Services
    - Services should not be changing much without your approval, some basic added/deleted notification could be added here
    - Possibly also existing services where their .exe path changes suddenly (Redirection of a legitimate service)

    * HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
    - This important key does not appear to be monitored currently for changes, which can sometimes be used as another launch location

    * HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
    * HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
    * HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
    * HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
    - These keys are also important and can allow spyware to attach themselfs directly to winlogon.exe

    2: Source identification of registry change

    Another feature, that would be extremely helpful, is if TeaTimer has the ability to track down the program, and/or program thread that initiated the change and offer a list of options to deal with the process, such as:
    - Deny all changes by thread/program
    - Force close thread/program
    - Force close and delete

    This might require some pretty tricky coding, such as hooking windows read/write registry functions to be able to track what application is comitting these changes.

    And also this could be iffy when malware has a .dll injected into winlogon, closing winlogon.exe will result in a very unhappy system!


    I hope some of these ideas are useful, it alone could make TeaTimer a stand-alone tool to make sure your system is doing nothing it's not supposed to without your approval
    Last edited by Draelen; 2009-01-31 at 04:14.

  2. #2
    Senior Member ght1's Avatar
    Join Date
    Apr 2008
    Posts
    210

    Default

    My suggestion: TeaTimer should detect new autostart entries

  3. #3
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,387

    Default

    Autostart entries have been added in 2.0.

    As for the additional registry entries, we refrained from adding more to avoid the additional confusion they would create... when the version with paranoid mode is out and spread, that would allow us to add more for sure

    Which application is committing the changes is done in 2.0 CoffeeLounge through hooking as guessed; 1.x TeaTimer only scans the file a registry entry points to if there's a definition on how to link the registry entry to a file.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •