Results 1 to 3 of 3

Thread: Suggestion: Additional TeaTimer Registry Monitoring+Tracking

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    1

    Default Suggestion: Additional TeaTimer Registry Monitoring+Tracking

    TeaTimer already does a great job at detecting changes, though while seeing it in use in a live environment, there were a number of features that it could have to make it a much more valuable tool for dealing with new and unknown spyware/malware.

    Some spyware apps manage to insert themselfs into some unmonitored areas not caught by TeaTimer, i'll list the ones I identified below. Some may be impractical, such as services changes (Though these should not change often unless installing something, perhaps have a 'Temporarily Disable' menu item to allow programs to install without 10-15 alerts)

    1: Detect changes to additional registry start locations:

    * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    - Some spyware in the future may make use of this area to hook certan exe files and run their own in its place

    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\<AppInit_DLLs>
    - .DLL files can be added here to attach themselfs to any program (Such as Firefox) and hinder or modify operation
    - This is where some of the nasty malware hides, they have a copy of themselfs in every process, making it very difficult to manually remove before another instance reloads its self automatically.


    * HKLM\System\CurrentControlSet\Services
    - Services should not be changing much without your approval, some basic added/deleted notification could be added here
    - Possibly also existing services where their .exe path changes suddenly (Redirection of a legitimate service)

    * HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
    - This important key does not appear to be monitored currently for changes, which can sometimes be used as another launch location

    * HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
    * HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
    * HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
    * HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
    - These keys are also important and can allow spyware to attach themselfs directly to winlogon.exe

    2: Source identification of registry change

    Another feature, that would be extremely helpful, is if TeaTimer has the ability to track down the program, and/or program thread that initiated the change and offer a list of options to deal with the process, such as:
    - Deny all changes by thread/program
    - Force close thread/program
    - Force close and delete

    This might require some pretty tricky coding, such as hooking windows read/write registry functions to be able to track what application is comitting these changes.

    And also this could be iffy when malware has a .dll injected into winlogon, closing winlogon.exe will result in a very unhappy system!


    I hope some of these ideas are useful, it alone could make TeaTimer a stand-alone tool to make sure your system is doing nothing it's not supposed to without your approval
    Last edited by Draelen; 2009-01-31 at 04:14.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •