Ticket #76 (closed bug: fixed)

Opened 1 year ago

Last modified 1 year ago

Integrity Misidentifies Files / Registry Keys As Malicious (Using Spanish Windows XP)

Reported by: apuigventos@isecauditors.com Assigned to: mbriggs
Priority: low Milestone: 0.9
Component: HoneyClient::Agent::Integrity Version: none
Severity: minor Keywords: spanish, language, integrity, filesystem, configuration
Cc:

Description (Last modified by kindlund)

Hello mates!

We are trying to use your honey client software and we have some problems described above:

First, all pages are considered dangerous, including Google, yahoo or blank:about.

Other problem is that we can only check 4 o 5 pages per hour, because the integrity check of the files takes to much time. May be a nice idea to do that check in Master VM instead (on install process) on the clone one.

We wanna also control some crawling features, like depth or limit of links, or disable it at all.

We are using a spanish Windows XP SP-0 without any security patch, and default configuration.

Some log: 

                                                {
                                                 'status' => 1,
                                                 'mtime' => '2007-08-23 10:47:17',
                                                 'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\archivos temporales de internet\\content.ie5\\m7y1e9m3\\little_post_inf_title_body[1].gif',
                                                 'content' => {
                                                                'sha1' => 'ca60de7eeccfd3964b2fb3258c7701aa2ba8576a',
                                                                'type' => 'image/gif',
                                                                'md5' => 'de8ae218d030a52fc769cbcdacffbd1f',
                                                                'size' => 78
                                                              }
                                               },
                                               {
                                                 'status' => 1,
                                                 'mtime' => '2007-08-23 10:47:16',
                                                 'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\archivos temporales de internet\\content.ie5\\m7y1e9m3\\little_post_sup_title_top[1].gif',
                                                 'content' => {
                                                                'sha1' => 'bd3e43359ecb8c99888b787721a0eb9deff8e3c6',
                                                                'type' => 'image/gif',
                                                                'md5' => '12a943b5e45ec51640daac9628f59c1a',
                                                                'size' => '276'
                                                              }
                                               },
                                               {
                                                 'status' => 1,
                                                 'mtime' => '2007-08-23 10:47:16',
                                                 'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\archivos temporales de internet\\content.ie5\\m7y1e9m3\\logo_banner_top_round[1].gif',
                                                 'content' => {
                                                                'sha1' => '7a205a52099c07fe36b3e3da7cf7803d50916681',
                                                                'type' => 'image/gif',
                                                                'md5' => 'a9130f75e078846a8c571d990f1aece5',
                                                                'size' => '35923'
                                                              }
                                               },
                                               {
                                                 'status' => 1,
                                                 'mtime' => '2007-08-23 10:47:16',
                                                 'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\archivos temporales de internet\\content.ie5\\m7y1e9m3\\navbar[1].gif',
                                                 'content' => {
                                                                'sha1' => 'cc9988167cac11d4c665047a9defd4f2a0b4f3c8',
                                                                'type' => 'image/gif',
                                                                'md5' => '8e14597d530bfe00c6be27879d3cba6b',
                                                                'size' => '1233'
                                                              }
                                               },
                                               {
                                                 'status' => 2,
                                                 'mtime' => '2007-08-23 10:47:15',
                                                 'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\historial\\history.ie5\\index.dat',
                                                 'content' => {
                                                                'sha1' => '978bd35bc9d49ea126009f2d5eb3463884f3096c',
                                                                'type' => 'application/octet-stream',
                                                                'md5' => 'ad2be4297c07af001827cd85dae4a961',
                                                                'size' => '32768'
                                                              }
                                               },
                                               {
                                                 'status' => 1,
                                                 'mtime' => '2007-08-23 10:47:15',
                                                 'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\historial\\history.ie5\\mshist012007082320070824\\index.dat',
                                                 'content' => {
                                                                'sha1' => '4bb39db09b3562d47daf5fe9787d01a1c95c1d50',
                                                                'type' => 'application/octet-stream',
                                                                'md5' => '8e10c98051ebbff87e6cf17b5ed8031f',
                                                                'size' => '32768'
                                                              }
                                               },
                                               {
                                                 'status' => 2,
                                                 'mtime' => '2007-08-23 10:47:15',
                                                 'name' => 'c:\\documents and settings\\admin\\cookies\\index.dat',
                                                 'content' => {
                                                                'sha1' => '4559fa924bb9f3f582133667224a8eece9b14738',
                                                                'type' => 'application/octet-stream',
                                                                'md5' => 'c1fbd1598efad67b51b0ab977ede7ced',
                                                                'size' => '32768'
                                                              }
                                               }
                                             ],
                             'last_resource' => 'http://www.isecauditors.com/'
                           }
        };
WARNING: VM HAS BEEN COMPROMISED!
2007-08-23 12:49:54  INFO [HoneyClient::Manager::runSession] (/usr/local/share/perl/5.8.8/HoneyClient/Manager.pm:710) - Calling suspendVM(config => /vm/clones/1d0a1c184a9ee007fcf0150729/master.vmx).
^[[6~2007-08-23 12:50:10  WARN [HoneyClient::Manager::runSession] (/usr/local/share/perl/5.8.8/HoneyClient/Manager.pm:717) - VM Compromised.  Last Resource (http://www.isecauditors.com/)
Fingerprint:
$VAR1 = {

Attachments

Change History

08/23/07 08:07:26 changed by anonymous

  • keywords set to spanish, language, integrity, filesystem, configuration.
  • owner changed from knwang to kindlund.
  • component changed from Unknown to HoneyClient::Agent::Integrity.
  • priority changed from normal to low.

The problem causing the Integrity check to fail every time is because you are using the Spanish version of Windows XP, and your Honeyclient is configured for English users. Note the following from your post: 

'name' => 'c:\\documents and settings\\admin\\configuraci�n local\\archivos temporales de internet\\content.ie5\\m7y1e9m3\\little_post_inf_title_body[1].gif'

The path is different than it would be in the English version: 

'name' => 'c:\\documents and settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\m7y1e9m3\\little_post_inf_title_body[1].gif'

What you'll need to do is modify the file at /etc/honeyclient.xml replacing all of the English paths with the Spanish paths. You need to edit these values in <exclude_list> in HoneyClient::Agent::Integrity::Filesystem. 

<HoneyClient>
    ...
    <Agent>
        ....
        <Integrity>
            ....
            <Filesystem>
                ....
                <exclude_list>
                    ....

The values are Regular Expressions contained in 'regex' tags.

Note that this may be a problem for the registry as well.

If you'd be willing to share the resulting exclusions, that would be a great help to the project for Spanish speaking users.

The exclusions 'should' reduce the integrity check time, however please let us know if it remains a problem. It would be helpful if we knew the specs of the machine you're using, and what its workload is (if anything besides operating the honeyclient.)

Gracias!

08/23/07 09:59:24 changed by anonymous

Ok but the next problem is the accent of spanish lenguage configuracÓn ó ó ←- your perl parse crash in this lines of honeyclient.xml. If erase this lines the program detect the site how compromised.

{

'status' ⇒ 1, 'mtime' ⇒ '2007-08-23 13:53:02', 'name' ⇒ 'c:\\documents and settings\\admin\\configuraci�n local\\historial\\history.ie5\\mshist012007082320070824\\index.dat', 'content' ⇒ {

'sha1' ⇒ '168795effd60b8b23e7b9a5962c42632ca986150', 'type' ⇒ 'application/octet-stream', 'md5' ⇒ '982f7c508bde07727b4c69382c811cb9', 'size' ⇒ '32768'

}

}

],

'last_resource' ⇒ 'http://www.google.es/'

}

};

WARNING: VM HAS BEEN COMPROMISED!

Thx

08/23/07 12:08:28 changed by anonymous

And register changes 'registry' ⇒ [

{

'status' ⇒ 2, 'entries' ⇒ [

{

'name' ⇒ 'LogonTime', 'new_value' ⇒ 'hex:7c,49,3f,94,9e,e5,c7,01', 'old_value' ⇒ 'hex:8e,0c,0f,85,9a,e5,c7,01'

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Providers'

}, {

'status' ⇒ 1, 'entries' ⇒ [

{

'name' ⇒ 'DefaultSpoolDirectory', 'new_value' ⇒ 'C:\\\\WINDOWS\\\\System32\\\\spool\\\\PRINTERS', 'old_value' ⇒ undef

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Printers'

}, {

'status' ⇒ 2, 'entries' ⇒ [], 'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\kmixer\\Enum'

}, {

'status' ⇒ 2, 'entries' ⇒ [

{

'name' ⇒ 'LogonTime', 'new_value' ⇒ 'hex:7c,49,3f,94,9e,e5,c7,01', 'old_value' ⇒ 'hex:8e,0c,0f,85,9a,e5,c7,01'

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers'

}, {

'status' ⇒ 1, 'entries' ⇒ [

{

'name' ⇒ 'DefaultSpoolDirectory', 'new_value' ⇒ 'C:\\\\WINDOWS\\\\System32\\\\spool\\\\PRINTERS', 'old_value' ⇒ undef

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Printers'

}, {

'status' ⇒ 2, 'entries' ⇒ [], 'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\kmixer\\Enum'

}

],

And filechanges:

'filesystem' ⇒ [

{

'status' ⇒ 2, 'mtime' ⇒ '2007-08-23 16:02:12', 'name' ⇒ 'c:\\documents and settings\\admin\\configuraci\ufffdn local\\archivos temporales de internet\\content.ie5\\index.dat', 'content' ⇒ {

'sha1' ⇒ '3a98bd178fb652e53e63226d57108cbefdf871d9', 'type' ⇒ 'application/octet-stream', 'md5' ⇒ 'ee8f8979ea9e3a27b4e6a96f08d89467', 'size' ⇒ '114688'

}

}, {

'status' ⇒ 1, 'mtime' ⇒ '2007-08-23 16:02:11', 'name' ⇒ 'c:\\documents and settings\\admin\\configuraci\ufffdn local\\archivos temporales de internet\\content.ie5\\i1ibcfab\\unafoto[1].htm', 'content' ⇒ {

'sha1' ⇒ '38a119d51a855ae63e2a66987bf7bd8e995456ac', 'type' ⇒ 'text/html', 'md5' ⇒ '0704f7b5a18bbd1fdee6dc08db200f33', 'size' ⇒ '1933'

}

}, {

'status' ⇒ 1, 'mtime' ⇒ '2007-08-23 16:02:12', 'name' ⇒ 'c:\\documents and settings\\admin\\configuraci\ufffdn local\\archivos temporales de internet\\content.ie5\\m7y1e9m3\\logo[1].jpg', 'content' ⇒ {

'sha1' ⇒ '53ba1dca3de3189da7610ccec40e6021bd6d40ae', 'type' ⇒ 'image/jpeg', 'md5' ⇒ 'f4d8b6e8e09c01638233111b4a7ba606', 'size' ⇒ '31582'

}

}, {

'status' ⇒ 2, 'mtime' ⇒ '2007-08-23 16:02:12', 'name' ⇒ 'c:\\documents and settings\\admin\\configuraci\ufffdn local\\historial\\history.ie5\\index.dat', 'content' ⇒ {

'sha1' ⇒ 'b0864143f166bd8322469bb495a54dfdf6d210e4', 'type' ⇒ 'application/octet-stream', 'md5' ⇒ '7cf87876af99c94b5b427d6e72b2e2f2', 'size' ⇒ '32768'

}

}, {

'status' ⇒ 1, 'mtime' ⇒ '2007-08-23 16:02:12', 'name' ⇒ 'c:\\documents and settings\\admin\\configuraci\ufffdn local\\historial\\history.ie5\\mshist012007082320070824\\index.dat', 'content' ⇒ {

'sha1' ⇒ 'f66a195b75d4077120abefcc7a95cde8282b4e88', 'type' ⇒ 'application/octet-stream', 'md5' ⇒ 'df0343c21932ad65f1253b94dc72e3e6', 'size' ⇒ '32768'

}

}

],

'last_resource' ⇒ 'http://www.unafoto.es/'

}

};

WARNING: VM HAS BEEN COMPROMISED!

08/23/07 12:24:01 changed by anonymous

I changed ó (acute) by ó and the config file is parsed correctly, but the problem with compromised sites remains.

Thank's you a lot.

(follow-up: ↓ 6 ) 08/23/07 12:55:15 changed by anonymous

  • owner changed from kindlund to mbriggs.

It would be helpful if you could post the sections of honeyclient.xml containing the File and Registry exclusions.

(in reply to: ↑ 5 ) 08/24/07 03:27:23 changed by anonymous

Replying to anonymous:

It would be helpful if you could post the sections of honeyclient.xml containing the File and Registry exclusions.

<regex>C:/Documents and Settings/All Users/Application Data/Microsoft/Network/Downloader.*</regex> <regex>C:/Documents and Settings/admin/Application Data/Mozilla/Firefox/Profiles.*</regex> <regex>C:/Documents and Settings/admin/Cookies.*</regex> <regex>C:/Documents and Settings/admin/Configuración local/Application Data/Macromedia/Flash Player.*</regex> <regex>C:/Documents and Settings/admin/Configuración local/Application Data/Microsoft/Windows Media.*</regex> <regex>C:/Documents and Settings/admin/Configuración local/Application Data/Mozilla/Firefox/Profiles.*</regex> <regex>C:/Documents and Settings/admin/Configuración local/History/History.IE5.*</regex> <regex>C:/Documents and Settings/admin/Configuración local/Archivos temporales de Internet/Content.IE5.*</regex> <regex>C:/Documents and Settings/admin/Configuración local/Temp</regex> <regex>C:/Documents and Settings/admin/Recent.*</regex> <regex>C:/Documents and Settings/admin/ntuser.dat.LOG</regex> <regex>C:/Archivos de programa/Mozilla Firefox/active-update.xml</regex> <regex>C:/Archivos de programa/Mozilla Firefox/updates</regex> <regex>C:/WINDOWS/PCHEALTH/HELPCTR/DataColl.*</regex> <regex>C:/WINDOWS/Prefetch.*</regex> <regex>C:/WINDOWS/Debug/UserMode/userenv.log</regex> <regex>C:/WINDOWS/SchedLgU.txt</regex> <regex>C:/WINDOWS/SoftwareDistribution/DataStore.*</regex> <regex>C:/WINDOWS/SoftwareDistribution/ReportingEvents.log</regex> <regex>C:/WINDOWS/SoftwareDistribution/WuRedir.*</regex> <regex>C:/WINDOWS/SYSTEM32</regex> <regex>C:/WINDOWS/SYSTEM32/config/SecEvent.evt</regex> <regex>C:/WINDOWS/SYSTEM32/config/SysEvent.evt</regex> <regex>C:/WINDOWS/SYSTEM32/config/software</regex> <regex>C:/WINDOWS/SYSTEM32/config/software.log</regex> <regex>C:/WINDOWS/SYSTEM32/config/system.LOG</regex> <regex>C:/WINDOWS/SYSTEM32/Macromed/Flash.*</regex> <regex>C:/WINDOWS/SYSTEM32/perfc009.dat</regex> <regex>C:/WINDOWS/SYSTEM32/perfd009.dat</regex> <regex>C:/WINDOWS/SYSTEM32/perfh009.dat</regex> <regex>C:/WINDOWS/SYSTEM32/perfi009.dat</regex> <regex>C:/WINDOWS/SYSTEM32/PerfStringBackup.INI</regex> <regex>C:/WINDOWS/SYSTEM32/wbem.*</regex> <regex>C:/WINDOWS/WindowsUpdate.log</regex> <regex>C:/WINDOWS/wmsetup.log</regex>

and register section

<regex>HKEY_CURRENT_USER\\SessionInformation.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IntelliForms$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International\\CpMRU$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\TypedURLs$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\MediaPlayer.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\.+\\Count.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\DUIBags\\ShellFolders\\.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache.*$</regex> <regex>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Media\\WMSDK\\General.*$</regex> <regex>HKEY_CURRENT_USER\\Volatile Environment$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Macromedia$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Macromedia\\FlashPlayer$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\RNG$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Dfrg\\BootOptimizeFunction$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Direct3D\\MostRecentApplication$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\PchSvc$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\S.+\\Extension-List\\.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Prefetcher$</regex> <regex>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\WgaLogon\\Settings$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\.+\\Parameters\\Tcpip.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\Dhcp\\Parameters.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\Eventlog\\Application\\ESENT.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\SharedAccess\\Epoch.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\Tcpip\\Parameters\\Interfaces\\.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dhcp\\Parameters.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Application\\ESENT.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Epoch$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\.*$</regex> <regex>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.+\\Parameters\\Tcpip.*$</regex> <regex>HKEY_USERS\\.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\.+\\Count.*$</regex> <regex>HKEY_USERS\\.+\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU.*$</regex> <regex>HKEY_USERS\\.+\\UNICODE Program Groups.*$</regex> <regex>HKEY_USERS\\S.+\\SessionInformation$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\ActiveMovie\\devenum.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\IntelliForms$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\International$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\International\\CpMRU$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\Main$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\TypedURLs$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\MediaPlayer.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Multimedia.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.*$</regex>

<regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\ShellNoRoam\\DUIBags\\ShellFolders\\.*$</regex>

<regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache.*$</regex> <regex>HKEY_USERS\\S.+\\Software\\Microsoft\\Windows Media\\WMSDK\\General.*$</regex>

08/24/07 07:17:11 changed by mbriggs

The problem still remains that you are not including the proper paths for Windows XP Spanish Edition. Consider this excerpt from one of your posts: 

'name' => 'c:\\documents and settings\\admin\\configuraci\ufffdn local\\historial\\history.ie5\\mshist012007082320070824\\index.dat',

I will assume that '\ufffd' represents the accented character 'ó'. In your regular expressions the line that might correspond to this is: 

<regex>C:/Documents and Settings/admin/Configuración local/History/History.IE5.*</regex>

However, as you can see, you did not translate 'history' to 'historial', which resulted in the regular expression failing. Assuming you need to use 'ó' in the place of 'ó', your regex entry should look like: 

<regex>C:/Documents and Settings/admin/Configuraci&#243;n local/Historial/History.IE5.*</regex>

When we first devised the exclusion lists, we had to go through the tedium of finding these paths, and unfortunately it looks like you'll have to do the same with the Windows XP Spanish Edition (which we do not currently have access to). All paths with Spanish translations must be changed in /etc/honeyclient.xml.

If you would be willing to submit your honeyclient.xml file after you have worked out all of the bugs, it would be a great help to the project, and we can attempt to provide better support for Spanish Language configurations. Feel free to contact us about contributing at honeyclient@mitre.org.

08/27/07 09:08:47 changed by anonymous

Yes, thx!

I put the correct path with regexp and not show any error in this point. The next problem is the regedit expresions.

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Session Manager\\AppCompatibility'

}, {

'status' ⇒ 2, 'entries' ⇒ [

{

'name' ⇒ 'VideoInitTime', 'new_value' ⇒ 'dword:0000007d', 'old_value' ⇒ 'dword:000000fa'

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Session Manager\\Memory Management\\PrefetchParameters'

}, {

'status' ⇒ 2, 'entries' ⇒ [

{

'name' ⇒ 'ShutdownCount', 'new_value' ⇒ 'dword:00000011', 'old_value' ⇒ 'dword:00000010'

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Watchdog\\Display'

}, {

'status' ⇒ 2, 'entries' ⇒ [

{

'name' ⇒ 'ShutdownTime', 'new_value' ⇒ 'hex:04,5f,fc,cb,a8,e8,c7,01', 'old_value' ⇒ 'hex:84,f7,48,9f,9c,e8,c7,01'

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Windows'

}, {

'status' ⇒ 1, 'entries' ⇒ [

{

'name' ⇒ 'ActiveService', 'new_value' ⇒ 'Netman', 'old_value' ⇒ undef

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_NETMAN\\0000\\Control'

}, {

'status' ⇒ 1, 'entries' ⇒ [

{

'name' ⇒ 'ActiveService', 'new_value' ⇒ 'Nla', 'old_value' ⇒ undef

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_NLA\\0000\\Control'

}, {

'status' ⇒ 1, 'entries' ⇒ [

{

'name' ⇒ 'ActiveService', 'new_value' ⇒ 'SSDPSRV', 'old_value' ⇒ undef

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_SSDPSRV\\0000\\Control'

}, {

'status' ⇒ 1, 'entries' ⇒ [

{

'name' ⇒ 'ActiveService', 'new_value' ⇒ 'TermService', 'old_value' ⇒ undef

}

],

'key_name' ⇒ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_TERMSERVICE\\0000\\Control'

For each new sessions of iexplore show differents changes in regedit secctions and show that site is compromised.

I am adding the new modifications in /etc/honeyclient.xml but not until point that is correct.

Thx again.

08/27/07 09:53:23 changed by anonymous

I put the next lines in to honeyclient.xml HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DirectDraw\\MostRecentApplication HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\kmixer\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\kmixer\\Enum

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EventSystem\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Providers HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Printers HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Printers

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\DMusic\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\drmkaud\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\splitter\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\swmidi\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\aec\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DMusic\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\drmkaud\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\splitter\\Enum HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\swmidi\\Enum

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Session Manager\\AppCompatibility HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Session Manager\\Memory Management\\PrefetchParameters HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Watchdog\\Display HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Windows HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_NETMAN\\0000\\Control HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_NLA\\0000\\Control HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_SSDPSRV\\0000\\Control HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_TERMSERVICE\\0000\\Control

Ok, any problem, except:

'fingerprint' ⇒ {

'registry' ⇒ [], 'filesystem' ⇒ [

{

'status' ⇒ 2, 'mtime' ⇒ '2007-08-27 13:49:22', 'name' ⇒ 'c:\\windows\\system32\\config\\security.log', 'content' ⇒ {

'sha1' ⇒ 'UNKNOWN', 'type' ⇒ 'UNKNOWN', 'md5' ⇒ 'UNKNOWN', 'size' ⇒ '1024'

}

}

],

'last_resource' ⇒ 'http://fp.com/novuln.html'

}

};

WARNING: VM HAS BEEN COMPROMISED!

08/27/07 19:38:29 changed by kindlund

  • reporter changed from anonymous to apuigventos@isecauditors.com.
  • summary changed from 100% malicious to Integrity Misidentifies Files / Registry Keys As Malicious (Using Spanish Windows XP).
  • description changed.
  • milestone set to 0.9.

Hello,

When posting large amounts of data in the form of comments, please be sure to wrap them in triple curly brackets, like this: 

{{{
TEXT
}}}

This allows us to more easily view raw data through our ticketing system.

It sounds like your last issue was with the file:

'c:\\windows\\system32\\config\\security.log'

In order to resolve this issue, you need to update your etc/honeyclient.xml file, and add the following line in the <exclude_list> section: 

<regex>C:/WINDOWS/SYSTEM32/config/security.LOG</regex>

Please let us know if this resolves your issue.

Regards,

— Darien

08/29/07 06:06:31 changed by Angel <apuigventos@isecauditors.com>

  • status changed from new to closed.
  • resolution set to fixed.

Yes, I exclude <regex>C:/WINDOWS/SYSTEM32/config/security.*</regex> sometimes the problem is C:/WINDOWS/SYSTEM32/config/security

Add/Change #76 (Integrity Misidentifies Files / Registry Keys As Malicious (Using Spanish Windows XP))




Change Properties
Action