[ISN] Reports: Long Registry Names Could Hide Malware

InfoSec News isn at c4i.org
Tue Aug 30 02:34:00 EDT 2005


By Larry Seltzer 
August 29, 2005 

Reports on the Full-Disclosure research list and by the SANS Internet
Storm Center indicate a common bug in software that interacts with the
Windows registry. The bug could allow malicious programs to hide
values there, obscuring evidence of their presence on the system.

The problem involves registry values with names between 256 and 260
characters long, although there may be additional problems with names
at the outer limits of length restrictions for Microsoft's and other
registry editors. As the Full-Disclosure report [1] indicates, the
existence of such a key can hide not only its own presence, but also
other values in the same key.

The Full-Disclosure report demonstrated the effect in the Microsoft
Registry editing program that comes with Windows. Further research by
the Internet Storm Center [2] indicated several other programs,
including security-related programs, are similarly-incapable of seeing
or modifying these values.

The main security concern relates to the "Run" keys, which are
specific keys that contain the names and locations of programs that
Windows should load at boot- and login-time. By using a value name
greater than 256 characters, a malicious program could possibly hide
its presence from security software, which usually checks these keys
for malicious use.

The use of such a key could not stop the security software from
scanning the file system and finding the programs being loaded through
these registry keys, and it could not stop intrusion prevention and
other behavior-monitoring software from taking note of the fact that a
value was being written to the Run keys, an action that usually raises
red flags.

The Internet Storm Center notes many programs that cannot read the
keys, including Lavasoft's Ad-Aware (no version specified), the
Microsoft AntiSpyware Beta and WinDoctor v. 7.00.22. Other tools,
including other versions of Microsoft registry tools, behave

The Internet Storm Center page also includes links to a free tool that
searches a computer's registry for value names that could cause the
problem noted in the reports.

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036448.html
[2] http://isc.sans.org/diary.php?date=2005-08-25

More information about the ISN mailing list