Flaw may hide malicious software

[Beta2]

These keys are stored in the Windows Registry, a core
part of the operating system that stores PC settings.
Some antivirus and anti-spyware products scan the
registry for malicious programs, but this new weakness
allows hackers to hide the presence of their
applications, according to security vendor StillSecure.

"It can be used to hide malicious programs on a system
that would go undetected by security software or registry
scanning tools," said Mitchell Ashley, chief technology
officer at StillSecure, which is based in Louisville,
Colo. Detection and clean-up could be difficult to
impossible, according to StillSecure.

The SANS Internet Storm Center, which tracks Internet
threats, on Thursday listed some applications that
according to reports it received can be tricked by the
longer registry keys. The list includes AdAware,
Microsoft's Windows AntiSpyware, HijackThis, Norton
SystemWorks 2003 Pro, Microsoft's Windows Registry Editor
and WinDoctor.

read:http://msn-
cnet.com.com/Flaw+may+hide+malicious+software/2100-1002_3-
5843863.html?part=msn-cnet&tag=feed_2501&subj=ns_5843863

 

[Alan]

Not likely.

The registry is used as a link to the program files and
its associated files on the system, and can't be used to
infect your system, nor hide the fact that an application
is on your system.

Even if there's a registry key for a particular app
that's been removed, the key is useless since it points
to a non-existant app and its associated files.

ALL scanners check the registry and also check to see if
any program files on the system are linked to spyware.
If it misses the registry key, but detects and removes
the application, then your system is safe.

One note to make is that this was also included in the
same report:

Microsoft is investigating the issue, a company
representative said in a statement e-mailed on Friday.
The software maker notes that an attacker can't hide
anything without first breaking into a system.

"This issue could not allow an attacker to remotely or
locally attack a user's computer," the Microsoft
representative said. "Rather, the attacker would already
have to have compromised the computer or convinced the
computer user to run malicious software."

According to Microsoft, the issue is not a security
vulnerability, but a function within the operating
system that could be misused. Microsoft said it is not
aware of the trick being employed to hide software.

However, SANS on Thursday said it started to see "some
possible reports of malware which utilizes this
concealment technique." The organization said it expects
to see that continue over the next few weeks as software
makers fix their products to allow these keys to be
visible.

Security monitoring company Secunia rates the Windows
Registry issue "not critical." The French Security
Incident Response Team also labels it "low risk."

Alan

 

[Bill Sanderson]

Sans.org has published a scanner to scan for such keys.

http://isc.sans.org/diary.php?date=2005-08-25

Warning--it will peg the processor. Runs quite quickly, though.

--

 

[Ron Chamberlin]

Bill,
Thinking this is the long registry key tool?

Ron Chamberlin
MS-MVP

 

[Bill Sanderson]

Yes. The guy who writes silentrunners.vbs has also confirmed that his
script will also call out such keys.

--

 

[Bill Sanderson]

That wasn't perfectly worded: SilentRunners doesn't specifically flag long
names, but it will print them out if they are in startup locations.


--