TeaTimer already does a great job at detecting changes, though while seeing it in use in a live environment, there were a number of features that it could have to make it a much more valuable tool for dealing with new and unknown spyware/malware.
Some spyware apps manage to insert themselfs into some unmonitored areas not caught by TeaTimer, i'll list the ones I identified below. Some may be impractical, such as services changes (Though these should not change often unless installing something, perhaps have a 'Temporarily Disable' menu item to allow programs to install without 10-15 alerts)
1: Detect changes to additional registry start locations:
* HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Some spyware in the future may make use of this area to hook certan exe files and run their own in its place
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\<AppInit_DLLs>
- .DLL files can be added here to attach themselfs to any program (Such as Firefox) and hinder or modify operation
- This is where some of the nasty malware hides, they have a copy of themselfs in every process, making it very difficult to manually remove before another instance reloads its self automatically.
* HKLM\System\CurrentControlSet\Services
- Services should not be changing much without your approval, some basic added/deleted notification could be added here
- Possibly also existing services where their .exe path changes suddenly (Redirection of a legitimate service)
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
- This important key does not appear to be monitored currently for changes, which can sometimes be used as another launch location
* HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
- These keys are also important and can allow spyware to attach themselfs directly to winlogon.exe
2: Source identification of registry change
Another feature, that would be extremely helpful, is if TeaTimer has the ability to track down the program, and/or program thread that initiated the change and offer a list of options to deal with the process, such as:
- Deny all changes by thread/program
- Force close thread/program
- Force close and delete
This might require some pretty tricky coding, such as hooking windows read/write registry functions to be able to track what application is comitting these changes.
And also this could be iffy when malware has a .dll injected into winlogon, closing winlogon.exe will result in a very unhappy system!
I hope some of these ideas are useful, it alone could make TeaTimer a stand-alone tool to make sure your system is doing nothing it's not supposed to without your approval
Some spyware apps manage to insert themselfs into some unmonitored areas not caught by TeaTimer, i'll list the ones I identified below. Some may be impractical, such as services changes (Though these should not change often unless installing something, perhaps have a 'Temporarily Disable' menu item to allow programs to install without 10-15 alerts)
1: Detect changes to additional registry start locations:
* HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Some spyware in the future may make use of this area to hook certan exe files and run their own in its place
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\<AppInit_DLLs>
- .DLL files can be added here to attach themselfs to any program (Such as Firefox) and hinder or modify operation
- This is where some of the nasty malware hides, they have a copy of themselfs in every process, making it very difficult to manually remove before another instance reloads its self automatically.
* HKLM\System\CurrentControlSet\Services
- Services should not be changing much without your approval, some basic added/deleted notification could be added here
- Possibly also existing services where their .exe path changes suddenly (Redirection of a legitimate service)
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
- This important key does not appear to be monitored currently for changes, which can sometimes be used as another launch location
* HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
- These keys are also important and can allow spyware to attach themselfs directly to winlogon.exe
2: Source identification of registry change
Another feature, that would be extremely helpful, is if TeaTimer has the ability to track down the program, and/or program thread that initiated the change and offer a list of options to deal with the process, such as:
- Deny all changes by thread/program
- Force close thread/program
- Force close and delete
This might require some pretty tricky coding, such as hooking windows read/write registry functions to be able to track what application is comitting these changes.
And also this could be iffy when malware has a .dll injected into winlogon, closing winlogon.exe will result in a very unhappy system!
I hope some of these ideas are useful, it alone could make TeaTimer a stand-alone tool to make sure your system is doing nothing it's not supposed to without your approval
Last edited:
