How does a virus add keys to the registry (WinXP SP3)

[Wyndru]

I'm not sure if this is the right place to ask this, but here it goes.

Over the past year I have been modifying my images at the High School I work in to lock the student and lab PC's down. I've gone through the regular stuff like locking down the desktop wallpaper, internet settings, disabling access to control panel and desktop properties, run, cmd, etc...

I've been happy with the results, and the computers have stayed a little more clean throughout the year with the exception of viruses. Most of the students claim they were on Google Images when the fake antivirus program was executed, but we can't block everything that GI points too, so I'm looking for a way to block anything from writing to the registry on the account level.

I've been able to set permissions on keys to (hopefully) prevent anything from writing to current user, but I'm thinking that this won't help. My reason for this is because one of the viruses I have been testing writes to HKEY_LOCAL_MACHINE, even while logged in as limited user. I checked, and there are no permissions set in HKLM or it's subkeys to allow read or write access to the local user I'm testing on.

My question is how do viruses override local permissions? Does it somehow grant system or admin rights to these processes when they execute? My students can't install anything on the PC's, yet these applications walk have no issues.

Oh, and as far as antivirus support, we use etrust and pestpatrol, which I know isn't very good with their definitions (we are looking into an alternative), but I still would like to prevent anything from writing to the registry, even if AV fails to detect it on the way in, I'm hoping this is possible.

Any suggestions?
Thanks AT!

 

[VirtualLarry]

A local privilege escalation exploit?

 

[Wyndru]

A local privilege escalation exploit?

That sucks, I assume there is no way to block something like this then. These fake antivirus programs are getting really annoying. We get 3 or 4 a day lately, I was hoping to cut this down. I keep sending all the files and key info to CA each time we get one, then they block them, then a week later a variation pops up.

 

[seepy83]

... I still would like to prevent anything from writing to the registry, even if AV fails to detect it on the way in, I'm hoping this is possible.

Any suggestions?

Run Internet Explorer inside of Sandboxie (http://www.sandboxie.com/)

edit: I haven't tested this against fake AV attacks, but in theory it should protect your machine...

 

[Rubycon]

Stop allowing browser use that permits execution of scripts globally.

OR secure your network properly so all local traffic is screened and completely trusted.

This is definitely a people problem! Unfortunately the way web browsing works to stop it you break that as well.

 

[Wyndru]

Stop allowing browser use that permits execution of scripts globally.

I'm not sure what you mean by this. Are you referring to just asking the students not to go to these sites, or by blocking it somehow in IE?

I've already proposed firefox with noscript to my boss, but he is concerned with the learning curve associated with this. I would need to set up a lot of rules, and he doesn't think it is worth the time. He is satisfied with IE8, I'm not a big fan of it, so we differ in opinion on that.

OR secure your network properly so all local traffic is screened and completely trusted.

The network admin already has it running through an SCM and a Packeteer, and as it is I think we will be loosening the restrictions as a response to the board of education in our district voicing their opinions that we are blocking students from too much now. :\

I just find it strange that 90% of these fake virus trojans come from google images, even with safe search on. I know that there is nothing from google's end that they can do, since you are really accessing other sites. We have definitely seen an increase over the past 6 months from sites linked by google images, it's too bad that such a widely used resource has so many sites listed in it that are dangerous.

 

[Wyndru]

Run Internet Explorer inside of Sandboxie (http://www.sandboxie.com/)

Thanks for the suggestion, I'll take a look at this.

 

[Rubycon]

I'm not sure what you mean by this. Are you referring to just asking the students not to go to these sites, or by blocking it somehow in IE?

IE is the issue. FF would be risky too without noscript. Get people on noscript NOW and learning be-damned if they don't like it they can just not use the internet or clean up the mess when they get infected!

I've already proposed firefox with noscript to my boss, but he is concerned with the learning curve associated with this. I would need to set up a lot of rules, and he doesn't think it is worth the time. He is satisfied with IE8, I'm not a big fan of it, so we differ in opinion on that.


The network admin already has it running through an SCM and a Packeteer, and as it is I think we will be loosening the restrictions as a response to the board of education in our district voicing their opinions that we are blocking students from too much now. :\

Most of it comes from advertisements hosted on compromised sites. Block those and you won't have nearly the amount of infections. There's lots of blacklists you can copy to block access to these servers, etc.

I just find it strange that 90% of these fake virus trojans come from google images, even with safe search on. I know that there is nothing from google's end that they can do, since you are really accessing other sites. We have definitely seen an increase over the past 6 months from sites linked by google images, it's too bad that such a widely used resource has so many sites listed in it that are dangerous.

Another way they come in is through streaming music players. Often these use flash based adverts that can inject malware into a system. Even systems running Norton, MS Security Essentials, etc. get hit. Fake Alert software is out of control these days.

..

 

[Wyndru]

..

Thanks for the info Rubycon. We do have a webads blacklist running, I'm not sure who provides it to us, I assume CA with the secure content box. I can't really say how well it is working though, it could be letting a lot through for all I know.

I appreciate the responses, I'll keep working on the big guy to consider using FF and NS.

 

[airdata]

Thanks for the suggestion, I'll take a look at this.

How many computers are there all together?

I was working in a college and they had ' Deep Freeze ' on the computers. Worked really well.

http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeEducation.aspx

It locks the computers state down completely. Anything that is installed while the computer is locked will be removed upon reboot.

You can also manipulate the HOSTS file. This website explains this. I've played w\ this a little but not on a ton of machines. I did have it on one machine that picked up a fake av type malware and this prevented it from dl'ing additional stuff. I went to the command prompt and did an ' ipconfig /displaydns ' and there was a whole list of websites from the HOSTS file where the malware was trying to access them but was just redirected to 127.0.0.1.

http://www.mvps.org/winhelp2002/hosts.htm

Another option available is DNS. I use openDNS and you can filter web traffic with it. There is a malware category that would block certain items.

 

[VirtualLarry]

I just find it strange that 90% of these fake virus trojans come from google images, even with safe search on. I know that there is nothing from google's end that they can do, since you are really accessing other sites. We have definitely seen an increase over the past 6 months from sites linked by google images, it's too bad that such a widely used resource has so many sites listed in it that are dangerous.

When Google indexes them, it sees only the normal site. But these web sites have been hacked, their code, such that when a visitor shows up, with a Google referrer, the virus-planting code activates, and redirects to one of those fake AV scan pages, for example.

 

[spikespiegal]

My question is how do viruses override local permissions??

They can't. Contrary to the comments above, a virus/malware running on a user account can't escalate rights because it wants to. Also, security escalation exploits are rare in the wild and patched rather quickly by MS. I've been an admin at a few colleges and highschools and never had a problem. Any garbage installed on the machine goes away when their profile is erased. Tech colleges can be hard because those kids are a lot more motivated and reckless and will drop a zero day exploit on you, but HS kids are typically less dangerous.

Whatever process is writing to HCLM is doing so with an admin rights from somewhere, or modifying a key that's already cracked open. If you don't believe me, take admin rights away from the key and try to modify it as god. Won't work. You're looking in the right area, but need to step back a bit and focus more on the human element.

Content filtering and black listing is almost totally ineffective for HS because they'll use a proxy and get around you.

 

[Rubycon]

Content filtering and black listing is almost totally ineffective for HS because they'll use a proxy and get around you.

LOL that's the first thing that should be disallowed is the use of a proxy or tunnel to sidestep a trusted network.

 

[Gamingphreek]

What version of Windows are you running? This sounds an awful lot like XP which would be one of the biggest problems (Though probably out of your control) UAC should be stopping this if it is Vista/7.

Group Policy can be set to disallow standard users write privileges to the registry.

Microsoft Security Essentials or NOD32 are probably the best A/V programs out there.

Google is pretty good about filtering their search results with respect to compromised websites. I wouldn't run too far with what the kids tell you - They are probably scared of getting in trouble for going to sites they weren't supposed to (Or something along those lines)

Are you using DNS Filtering at all? OpenDNS or something similar would be a good idea.

-GP

 

[Wyndru]

They can't. Contrary to the comments above, a virus/malware running on a user account can't escalate rights because it wants to. Also, security escalation exploits are rare in the wild and patched rather quickly by MS. I've been an admin at a few colleges and highschools and never had a problem. Any garbage installed on the machine goes away when their profile is erased. Tech colleges can be hard because those kids are a lot more motivated and reckless and will drop a zero day exploit on you, but HS kids are typically less dangerous.

Whatever process is writing to HCLM is doing so with an admin rights from somewhere, or modifying a key that's already cracked open. If you don't believe me, take admin rights away from the key and try to modify it as god. Won't work. You're looking in the right area, but need to step back a bit and focus more on the human element.

Content filtering and black listing is almost totally ineffective for HS because they'll use a proxy and get around you.

That's what I originally thought, but I had already tested removing all rights from that key, even admin and system, then ran the executable, and it still added what it needed to. I'm not sure what's going on but it's pretty common lately. We see unwanted changes to HKLM fairly often, and limited user is useless IMO. We are looking into windows 7 now, hopefully that will make a difference. UAC will probably just cause headaches for support staff, but at least it might be more secure.

You are right about the content filtering, we have facebook and twitter set to 1kb on the packeteer because the kids where just using their own home built proxy webpages to get to it. I'd like to block everything, and then just open what people need as they request it.

 

[Gamingphreek]

That's what I originally thought, but I had already tested removing all rights from that key, even admin and system, then ran the executable, and it still added what it needed to. I'm not sure what's going on but it's pretty common lately. We see unwanted changes to HKLM fairly often, and limited user is useless IMO. We are looking into windows 7 now, hopefully that will make a difference. UAC will probably just cause headaches for support staff, but at least it might be more secure.

You are right about the content filtering, we have facebook and twitter set to 1kb on the packeteer because the kids where just using their own home built proxy webpages to get to it. I'd like to block everything, and then just open what people need as they request it.

XP is really, in essence, a single user security platform. Vista and 7 was really a HUGE leap for Microsoft towards what *nix has had for ages: Multi-Level User Security. UAC in Vista may have been a bit intrusive, but UAC is one of the single greatest things to happen to the Windows platform.

If it is still modifying the registry, it has to be taking ownership of the object. Even if you strip all rights off of an object, the CREATOR_OWNER can still take ownership and modify those right (Unless I am mistaken). I would look in the logs to see what is using its "take ownership privilege" right around that time.

Regarding the content filtering, OpenDNS allows you to block Proxies/Anonymizers which should help some of your problems. I don't know how good it is in that filtering, but when I tested it for my personal network it caught everything I tossed at it.

I'm really interested in hearing what you find. Do you by chance have the executable that is adding files to the HKLM hive? If we could find a safe way to send it (ie: Preventing execution) I would really like to disassemble it and see if I can't figure out what it is doing.

-GP

 

[Modelworks]

The biggest thing anyone can do to limit malware on the system is to disable the ability for vb script to run. Virus that are wide spread are rarely unique. Most were created by a coder who released the malware as a sort of development kit for creation of actual programs to infect machines. That allows for people who do not understand the low level stuff to create malware and most of those will use vbscript to do that because it comes default with all windows installs and because they cannot write code themselves it is something they can understand enough to get the job done. That is why malware is so widespread vs years ago. With anyone willing to spend two hours learning they can create their very own malware without having to know lots of details.
so blocking vbscript is the first thing I would do. You can select the vbscript dll files in the windows directory and block them from execution, the main one is vbscript.dll. You can't delete them because windows system protection will just restore them .

The other thing you need to look into is white listing. Windows defaults to let people do what they want and only block what you tell it to. White listing uses the idea that no user can do anything, not even click the desktop without it being on the list of approved actions. White listing is much easier to admin than trying to black list everything that a user could possibly do that you do not want. To set these kind of permissions there is a good app that is free that has all the settings easy to access. Some of them are registry settings not well known.
http://www.coolstuff.ws/software/systweaker


Content blocking can be hard but there are some low cost ways to do it. One is squid proxy filter. The application is free and handles ad blocking as well as content restriction. If a user enters a proxy site in the address bar it will not work because squid detects proxy connections. Squid controls content by examining the actual packets. If you block torrents on one port and the user changes the port normally that content would get through , but with squid it would block it because squid would look at the packets content and see it is torrents and block just those packets while still allowing other programs to use the same ports. A much better solution than firewalls or address/port based blocking.

http://www.squid-cache.org/

 

[ViviTheMage]

Consider web sense?

 

[Fayd]

reimage machines with every reboot?

 

[Wyndru]

reimage machines with every reboot?

We used to have pcr-dist, but it was too time consuming for the students. We were doing it on every logon though (just on the local windows account, with a Novell logon script). I might look into using it at every reboot and see if we can implement that.

GP, unfortunately I don't have the file anymore. CA recently added it to their definitions, and I thought I had it encrypted somewhere, but I guess not. Now it's been deleted from every location I had it, even when I plugged in my flash drive that it was on. I'm sure we will have another one before long, so if I come across one, I'll encrypt and host it and send you a PM with the address.

This week, there is a student seeking legal action regarding a virus he brought home from school to his home computer. So now I get to trace it down and document all of this crap. Good times.

 

[seepy83]

This week, there is a student seeking legal action regarding a virus he brought home from school to his home computer. So now I get to trace it down and document all of this crap. Good times.

If he's really seeking legal action, I would suggest that you stop what you are doing right now and get law enforcement involved. A forensic analysis of a computer must be done properly for any of the data to be admissible in court.

 

[Wyndru]

If he's really seeking legal action, I would suggest that you stop what you are doing right now and get law enforcement involved. A forensic analysis of a computer must be done properly for any of the data to be admissible in court.

We have an in-house officer that already took the computer the kid claims he got the virus from. I just need to document what we do to prevent viruses and make sure non of the other computers have the same virus, so they know that we are at least attempting to prevent this type of thing from happening. This isn't the first time we have had this issue, so all I really did was update the documentation from a couple of years ago.

These issues usually go away on their own once the higher-ups get all the info they need to proceed.