[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-cvs] ossec-hids: win_applications_rcl.txt (NEW) win_audit_rcl.txt (NEW) win_malware_rcl.txt (NEW) [dcid]

To: ossec-cvs@xxxxxxxxx
Subject: [ossec-cvs] ossec-hids: win_applications_rcl.txt (NEW) win_audit_rcl.txt (NEW) win_malware_rcl.txt (NEW) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Sat, 21 Jul 2007 18:53:48 -0300 (ADT)
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	07/07/21 18:53:46

Added files:
	win_applications_rcl.txt win_audit_rcl.txt win_malware_rcl.txt

Log message:
Description: Adding windows audit, apps and malware files.
Reviewed by: dcid
Bug:

--- NEW FILE: win_applications_rcl.txt ---
# @(#) $Id: win_applications_rcl.txt,v 1.1 2007/07/21 21:53:45 dcid Exp $
#
# OSSEC Application detection - (C) 2007 Daniel B. Cid - dcid@xxxxxxxxx
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: http://www.ossec.net/en/licensing.html
# 
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - r (registry entry)
#             - p (process running)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value. 
# For files, use "->" to look for a specific value in the file.
# 
# Values can be preceeded by: =: (for equal) - default
#                             r: (for ossec regexes)
#                             >: (for strcmp greater)
#                             <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).



[Chat/IM/VoIP - Skype] [any] []
f:\Program Files\Skype\Phone;
f:\Documents and Settings\All Users\Documents\My Skype Pictures;
f:\Documents and Settings\Skype;
f:\Documents and Settings\All Users\Start Menu\Programs\Skype;
r:HKLM\SOFTWARE\Skype;
r:HKEY_LOCAL_MACHINE\Software\Policies\Skype;
p:Skype.exe;


[Chat/IM - Yahoo] [any] []
f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger;
r:HKLM\SOFTWARE\Yahoo;


[Chat/IM - ICQ] [any] []
r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ;


[Chat/IM - AOL] [any] [http://www.aol.com]
r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger;
r:HKEY_CLASSES_ROOT\aim\shell\open\command;
r:HKEY_CLASSES_ROOT\AIM.Protocol;
r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim;
f:\Program Files\AIM95;
p:aim.exe;


[Chat/IM - MSN] [any] [http://www.msn.com]
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger;
r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger;
f:\Program Files\MSN Messenger;
f:\Program Files\Messenger;
p:msnmsgr.exe;


[Chat/IM - ICQ] [any] [http://www.icq.com]
r:HKLM\SOFTWARE\Mirabilis\ICQ;


[P2P - UTorrent] [any] []
p:utorrent.exe;


[P2P - LimeWire] [any] []
r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire;
r:HKLM\software\microsoft\windows\currentversion\run -> limeshop;
f:\Program Files\limewire;
f:\Program Files\limeshop;


[P2P/Adware - Kazaa] [any] []
f:\Program Files\kazaa;
f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
f:%WINDIR%\System32\Cd_clint.dll;
r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;


# http://vil.nai.com/vil/content/v_135023.htm
[Adware - RxToolBar] [any] [http://vil.nai.com/vil/content/v_135023.htm]
r:HKEY_CURRENT_USER\Software\Infotechnics;
r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar;
r:HKEY_CURRENT_USER\Software\RX Toolbar;
r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo;
r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar;
f:\Program Files\RXToolBar;


# http://btfaq.com/serve/cache/18.html
[P2P - BitTorrent] [any] [http://btfaq.com/serve/cache/18.html]
f:\Program Files\BitTorrent;
r:HKEY_CLASSES_ROOT\.torrent;
r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent;
r:HKEY_CLASSES_ROOT\bittorrent;
r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent;


# http://www.gotomypc.com
[Remote Access - GoToMyPC] [any] []
f:\Program Files\Citrix\GoToMyPC;
f:\Program Files\Citrix\GoToMyPC\g2svc.exe;
f:\Program Files\Citrix\GoToMyPC\g2comm.exe;
f:\Program Files\expertcity\GoToMyPC;
r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc;
r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc;
r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc;
p:g2svc.exe;
p:g2pre.exe;


[Spyware - Twain Tec Spyware] [any] []
r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1;
r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech;
f:%WINDIR%\twaintec.dll;


# http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2
[Spyware - SpyBuddy] [any] []
f:\ProgramFiles\ExploreAnywhere\SpyBuddy\sb32mon.exe;
f:\ProgramFiles\ExploreAnywhere\SpyBuddy;
f:\ProgramFiles\ExploreAnywhere;
f:%WINDIR%\System32\pthreadVC.dll;
f:%WINDIR%\System32\sysicept.dll;
r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;


[Spyware - InternetOptimizer] [any] []
r:HKLM\SOFTWARE\Avenue Media;
r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1;
r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;


# EOF #

--- NEW FILE: win_audit_rcl.txt ---
# @(#) $Id: win_audit_rcl.txt,v 1.1 2007/07/21 21:53:46 dcid Exp $
#
# OSSEC Windows Audit - (C) 2007 Daniel B. Cid - dcid@xxxxxxxxx
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: http://www.ossec.net/en/licensing.html
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - r (registry entry)
#             - p (process running)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value.
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceeded by: =: (for equal) - default
#                             r: (for ossec regexes)
#                             >: (for strcmp greater)
#                             <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).
 



# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true
[Disabled Registry tools set] [any] []
r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; 
r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; 



# http://support.microsoft.com/kb/825750
[DCOM disabled] [any] []
r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;



# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
[LM authentication allowed (weak passwords)] [any] []
r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;
r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;



# http://research.eeye.com/html/alerts/AL20060813.html
# Disabled by some Malwares (sometimes by McAfee and Symantec
# security center too).
[Firewall/Anti Virus notification disabled] [any] []
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;



[Microsoft Firewall disabled] [any] []
r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> !0;
r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> !0;



#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
[Null sessions allowed] [any] []
r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;



[Error reporting disabled] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;



# http://support.microsoft.com/default.aspx?scid=315231
[Automatic Logon enabled] [any] [http://support.microsoft.com/default.aspx?scid=315231]
r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword;
r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;


[Winpcap packet filter driver found] [any] []
f:%WINDIR%\System32\drivers\npf.sys;


# EOF #

--- NEW FILE: win_malware_rcl.txt ---
# @(#) $Id: win_malware_rcl.txt,v 1.1 2007/07/21 21:53:46 dcid Exp $
#
# OSSEC Windows Malware list - (C) 2007 Daniel B. Cid - dcid@xxxxxxxxx
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: http://www.ossec.net/en/licensing.html
#
# [Malware name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - r (registry entry)
#             - p (process running)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value. 
# For files, use "->" to look for a specific value in the file.
#
# # Values can be preceeded by: =: (for equal) - default
#                               r: (for ossec regexes)
#                               >: (for strcmp greater)
#                               <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).


# http://www.iss.net/threats/ginwui.html
[Ginwui Backdoor] [any] [http://www.iss.net/threats/ginwui.html]
f:%WINDIR%\System32\zsyhide.dll;
f:%WINDIR%\System32\zsydll.dll;
r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;


# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
[Wargbot Backdoor] [any] []
f:%WINDIR%\System32\wgareg.exe;
f:%WINDIR%\debug\dcpromo.log;
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;


# http://www.f-prot.com/virusinfo/descriptions/sober_j.html
[Sober Worm] [any] []
f:%WINDIR%\System32\nonzipsr.noz;
f:%WINDIR%\System32\clonzips.ssc;
f:%WINDIR%\System32\clsobern.isc;
f:%WINDIR%\System32\sb2run.dii;
f:%WINDIR%\System32\winsend32.dal;
f:%WINDIR%\System32\winroot64.dal;
f:%WINDIR%\System32\zippedsr.piz;
f:%WINDIR%\System32\winexerun.dal;
f:%WINDIR%\System32\winmprot.dal;
f:%WINDIR%\System32\dgssxy.yoi;
f:%WINDIR%\System32\cvqaikxt.apk;
f:%WINDIR%\System32\sysmms32.lla;
f:%WINDIR%\System32\Odin-Anon.Ger;


# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
[Hotword Trojan] [any] []
f:%WINDIR%\System32\_;
f:%WINDIR%\System32\explore.exe;
f:%WINDIR%\System32\ svchost.exe;
f:%WINDIR%\System32\mmsystem.dlx;
f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX;
f:%WINDIR%\System32\CFXP.DRV;
f:%WINDIR%\System32\CHJO.DRV;
f:%WINDIR%\System32\MMSYSTEM.DLX;
f:%WINDIR%\System32\OLECLI.DL;


[Beagle worm] [any] []
f:%WINDIR%\System32\winxp.exe;
f:%WINDIR%\System32\winxp.exeopen;
f:%WINDIR%\System32\winxp.exeopenopen;
f:%WINDIR%\System32\winxp.exeopenopenopen;
f:%WINDIR%\System32\winxp.exeopenopenopenopen;


# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
[Looked.BK Worm] [any] []
f:%WINDIR%\uninstall\rundl132.exe;
f:%WINDIR%\Logo1_.exe;
f:%Windir%\RichDll.dll;
r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;


[Possible Malware - Svchost running outside system32] [any] []
p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;


[Possible Malware - Inetinfo running outside system32\inetsrv] [any] []
p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;


[Possible Malware - Rbot/Sdbot detected] [any] []
f:%Windir%\System32\rdriv.sys;
f:%Windir%\lsass.exe;


[Possible Malware File] [any] []
f:%WINDIR%\utorrent.exe;
f:%WINDIR%\System32\utorrent.exe;
f:%WINDIR%\System32\Files32.vxd;


# Modified /etc/hosts entries
# Idea taken from:
# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
# http://www.sophos.com/security/analyses/trojbagledll.html
# http://www.f-secure.com/v-descs/fantibag_b.shtml
[Anti-virus site on the hosts file] [any] []
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;


# EOF #
Prev by Date: [ossec-cvs] ossec-hids: ossec_rules.xml (HEAD) [dcid]
Next by Date: [ossec-cvs] ossec-hids: ossec_rules.xml (HEAD) [dcid]
Previous by thread: [ossec-cvs] ossec-hids: ossec_rules.xml (HEAD) [dcid]
Next by thread: [ossec-cvs] ossec-hids: LICENSE (HEAD) [dcid]
Index(es):
- Date
- Thread
OSSEC home | Main Index | Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.