Checking for incursions in the Registry with standard Windows utilities

Securing Desktops from Registry Altering Worms

Much of the attention of the InfoSec community effort goes towards networks and servers, perhaps that is because they do not have a reasonable chance of affecting windows security holes. This is an intersting approach as one could say, taking it to the other extreme,

[ol][li]If all desktops, user systems, were totally secure, a corrupted server or net would not matter half so much.
[li]As long as desktop security is very bad there will be zombies attacking servers and the net and the security of networks and servers becomes impossible, or at least far, far more difficult and expensive.
[/ol]

There has been little attention to simple things that can be done to improve Desktop resistance to viruses and worms, other than expensive, unreliable, cranky integrated Anti-Virus applications.

An alternative: What follows is a part of making the windows desktop more secure and able to alert others if they have been affected by many viruses or worms.

[ol]
[li]Many viruses and worms alter portions of the Registry in a highly predictable way.
[li]Any desktop can trivially get its registry keys with standard MS programs.
[li]Any desktop can replace its registry keys. with standard MS programs.
[li]If certain keys have been altered in certain ways, the desktop should alert its user to get assistance. almost entirely with standard MS programs.
[/ol]

In short, many networks and users have had failures and suffered damage that could have been caught and much damage prevented almost entirely with standard MS programs. In a word, pointlessly.


Having a desktop check its registry for comomn registry alterations takes a second, maybe two on loder system. It is so quick it can be

[ol]
[li]Run at bootstrap time.
[li]Scheduled hourly
[li]Run at NT/Logon time
[li]Run at shutdown.
[/ol]



To get registry keys, either in DOS at footstrap time, or in Windows, enter

RegEdit /E filename key

as in (all one line)

There is a RegEdit usage screen at the bottom.


Now many viruses alter just that key. Even just using RegEdit one can easily

[ol][li]Dump a key or set of keys
[li]Compare them against a backup copy
[li]If they differ,
[ol]
[li]Alert the user
[li]Stop the Logon or BootStrap
[/ol]
[/ol]

----------------------------------------------------------------------


This is clunky as I am restricting myself to MS utilities which are very limited. Your programmer could do better in ten minutes, or you should be able to get a package for $10/seat.
(Regedit line is one line to \Run)

The MS FC command, file compare does not return an errorlevel code, but Find does, a 1 for 'not found', so we run a FC to generate a change list and then FIND the asterisks which will indicate there was a change.

If there was a change we find the aserisks and the ERRORLEVEL is zero, which is the problem state. So we check for ERRORLEVEL 1, which indicates no asterisks and therefore an equal compare.

It would be a lot easier if MS returned a code from FC. Did I say the words "Shabby design"? No I did not.

Ergo: We can check for various viruses that alter the registry, a tiny bit less than half of them, right now, with MS utilities, on logon, at bootstrap, periodically or shutdown.

So, why are not you doing it? We are, but we use RegCheck, our utility that does just the above, faster.


To be complete one should check all the RUN keys
[tt]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
[/tt]

and on multiuser or networked systems,

[tt]
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Runonce
[/tt]


This is getting a little lengthy for a BAT file, so a utility written for this purpose might be a good idea. But the important thing is that it may be done for all Windows users right now.


Here's a little list of Registry altering viruses as of August 2002
[tt]
Alcarys Dotor Monopoly Storielle
Aplore ElKern Music Surnova
Argen Fireburn Mylife Taripox
Babylonia Gibe Navidad Tettona
BadSector Gigger Newbiero Timofon
BadTrans GOP Nymph Timofonica
Benjamin Hooker Porkis Triplesix
BleBa Hydra PrettyPark Tune
Borzella Iestart Pri Updater
Brit Kak Qaz VBSWG
Britney Keyluc Rede Vote
Bubbleboy Kitro Redlof Welyah
Carrytone Klaz Roach WorldCup
Chick Kletz Shoho Yaha
CodeBlue Klez Sircam Zacker
Crazybox Lavehn-a Slip
Creepy Liac Sonic
Dandi Linon SQLSpida
Dewin LoveLetter SShogiST
Document Maldal SSIWG





RegEdit command line USAGE screen

REGEDIT [/L:system] [/R:user] filename1
REGEDIT [/L:system] [/R:user] /C filename2
REGEDIT [/L:system] [/R:user] /E filename3 [regpath1]
REGEDIT [/L:system] [/R:user] /D regpath2

/L:system Specifies the location of the SYSTEM.DAT file.
/R:user Specifies the location of the USER.DAT file.
filename1 Specifies the file(s) to import into the registry.
/C filename2 Specifies the file to create the registry from.
/E filename3 Specifies the file to export the registry to.
regpath1 Specifies the starting registry key to export from.
(Defaults to exporting the entire registry).
/D regpath2 Specifies the registry key to delete.