Security threats Toolkit

Malicious code 'could hide in Windows Registry'

Tags:
Registry,
Lack Thereof,
Security,
Malware

Joris Evers CNET News

Published: 30 Aug 2005 09:40 BST

Miscreants could hide their malicious software on a Windows PC by using overly long registry keys, security experts have warned.

These keys are stored in the Windows Registry, a core part of the operating system that stores PC settings. Some antivirus and anti-spyware products scan the registry for malicious programs, but this new weakness allows hackers to hide the presence of their applications, according to security vendor StillSecure.

"It can be used to hide malicious programs on a system that would go undetected by security software or registry scanning tools," said Mitchell Ashley, chief technology officer at StillSecure, which is based in Louisville, Colo. Detection and cleanup could be difficult to impossible, according to StillSecure.

The SANS Internet Storm Center, which tracks Internet threats, on Thursday listed some applications that, according to reports it received, can be tricked by the longer registry keys. The list includes AdAware, Microsoft's Windows AntiSpyware, HijackThis, Norton SystemWorks 2003 Pro, Microsoft's Windows Registry Editor and WinDoctor.

"It is important for users to know if they may have a blind spot in their local system security," SANS associate Robert Danford wrote on the SANS ISC Web site. "The [essential information] here is that... it will be important to many to watch for product updates in the coming weeks." Danford also works for the security alert team at StillSecure.

Of most concern are the so-called "run" keys in the registry. These keys are used to start applications when a Windows PC boots. Microsoft's Registry Editor and several popular security programs won't detect the overly long entries in the Windows Registry, yet the applications will still start, according to StillSecure's Ashley.

"It would be very easy for a spyware programmer to hide a keystroke logger on your machine using this technique," Ashley said.

Microsoft is investigating the issue, a company representative said in a statement emailed on Friday. The software maker notes that an attacker can't hide anything without first breaking into a system.

"This issue could not allow an attacker to remotely or locally attack a user's computer," the Microsoft representative said. "Rather, the attacker would already have to have compromised the computer or convinced the computer user to run malicious software."

According to Microsoft, the issue is not a security vulnerability, but a function within the operating system that could be misused. Microsoft said it is not aware of the trick being employed to hide software.

However, SANS on Thursday said it started to see "some possible reports of malware which utilizes this concealment technique." The organisation said it expects to see that continue over the next few weeks as software makers fix their products to allow these keys to be visible.

Security monitoring company Secunia rates the Windows Registry issue "not critical". The French Security Incident Response Team also labels it "low risk".