http://www.eweek.com/article2/0,1895,1853561,00.asp By Larry Seltzer August 29, 2005 Reports on the Full-Disclosure research list and by the SANS Internet Storm Center indicate a common bug in software that interacts with the Windows registry. The bug could allow malicious programs to hide values there, obscuring evidence of their presence on the system. The problem involves registry values with names between 256 and 260 characters long, although there may be additional problems with names at the outer limits of length restrictions for Microsoft's and other registry editors. As the Full-Disclosure report [1] indicates, the existence of such a key can hide not only its own presence, but also other values in the same key. The Full-Disclosure report demonstrated the effect in the Microsoft Registry editing program that comes with Windows. Further research by the Internet Storm Center [2] indicated several other programs, including security-related programs, are similarly-incapable of seeing or modifying these values. The main security concern relates to the "Run" keys, which are specific keys that contain the names and locations of programs that Windows should load at boot- and login-time. By using a value name greater than 256 characters, a malicious program could possibly hide its presence from security software, which usually checks these keys for malicious use. The use of such a key could not stop the security software from scanning the file system and finding the programs being loaded through these registry keys, and it could not stop intrusion prevention and other behavior-monitoring software from taking note of the fact that a value was being written to the Run keys, an action that usually raises red flags. The Internet Storm Center notes many programs that cannot read the keys, including Lavasoft's Ad-Aware (no version specified), the Microsoft AntiSpyware Beta and WinDoctor v. 7.00.22. Other tools, including other versions of Microsoft registry tools, behave appropriately. The Internet Storm Center page also includes links to a free tool that searches a computer's registry for value names that could cause the problem noted in the reports. [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036448.html [2] http://isc.sans.org/diary.php?date=2005-08-25 _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Tue Aug 30 2005 - 00:00:55 PDT