Reports: Long Registry Names Could Hide Malware

By Larry Seltzer  |  Posted 2005-08-29 Print this article Print

Programs that interact with the registry can be fooled by the presence of very long names, allowing programs to conceal themselves.

Reports on the Full-Disclosure research list and by the SANS Internet Storm Center indicate a common bug in software that interacts with the Windows registry. The bug could allow malicious programs to hide values there, obscuring evidence of their presence on the system.

The problem involves registry values with names between 256 and 260 characters long, although there may be additional problems with names at the outer limits of length restrictions for Microsofts and other registry editors. As the Full-Disclosure report indicates, the existence of such a key can hide not only its own presence, but also other values in the same key.

The Full-Disclosure report demonstrated the effect in the Microsoft Registry editing program that comes with Windows. Further research by the Internet Storm Center indicated several other programs, including security-related programs, are similarly-incapable of seeing or modifying these values.

Click here to read more about rootkits spawning new malware.

The main security concern relates to the "Run" keys, which are specific keys that contain the names and locations of programs that Windows should load at boot- and login-time. By using a value name greater than 256 characters, a malicious program could possibly hide its presence from security software, which usually checks these keys for malicious use.

The use of such a key could not stop the security software from scanning the file system and finding the programs being loaded through these registry keys, and it could not stop intrusion prevention and other behavior-monitoring software from taking note of the fact that a value was being written to the Run keys, an action that usually raises red flags.

Click here to read more about the coming of malware.

The Internet Storm Center notes many programs that cannot read the keys, including Lavasofts Ad-Aware (no version specified), the Microsoft AntiSpyware Beta and WinDoctor v. 7.00.22. Other tools, including other versions of Microsoft registry tools, behave appropriately.

The Internet Storm Center page also includes links to a free tool that searches a computers registry for value names that could cause the problem noted in the reports.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel