After reading the Microsoft Malware Protection Center Threat Report: Rootkits I have included new keys that affect to HKLM.
Added: HKLM\System\ControlSet\Services\Tcpip\Parameters.
Values: DataBasePath and DhcpNameServer.
Reference: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon
Added: All keys under HKLM\System\ControlSet\Services\Tcpip\Parameters\Interfaces.
Values: DhcpNameServer and NameServer.
Reference: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon
After reviewing the keys that can be used by the malware to avoid the firewall:
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.
Value: EnableFirewall.
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.\AuthorizedApplications\List.
Values: All.
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List.
Values: All.
Added: HKLM\System\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List.
Values: All.
New values included in the list of "justified":
Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.
Value: EnableFirewall.
Data: 1.
Key: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.
Value: EnableFirewall.
Data: 1.
Malware strings added:
Strings: msqpdx and msliksur.
Reference: Win32/Alureon.
Strings: glaide32.sys and lzx32.sys.
Reference: Win32/Rustock.
Strings: runtime.sys and runtime2.sys.
Reference: Win32/Cutwail.
No comments:
Post a Comment