Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Reports: Long Registry Names Could Hide Malware

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Reports: Long Registry Names Could Hide Malware
Date: Tue, 30 Aug 2005 01:34:00 -0500 (CDT) 
http://www.eweek.com/article2/0,1895,1853561,00.asp

By Larry Seltzer 
August 29, 2005 

Reports on the Full-Disclosure research list and by the SANS Internet
Storm Center indicate a common bug in software that interacts with the
Windows registry. The bug could allow malicious programs to hide
values there, obscuring evidence of their presence on the system.

The problem involves registry values with names between 256 and 260
characters long, although there may be additional problems with names
at the outer limits of length restrictions for Microsoft's and other
registry editors. As the Full-Disclosure report [1] indicates, the
existence of such a key can hide not only its own presence, but also
other values in the same key.

The Full-Disclosure report demonstrated the effect in the Microsoft
Registry editing program that comes with Windows. Further research by
the Internet Storm Center [2] indicated several other programs,
including security-related programs, are similarly-incapable of seeing
or modifying these values.

The main security concern relates to the "Run" keys, which are
specific keys that contain the names and locations of programs that
Windows should load at boot- and login-time. By using a value name
greater than 256 characters, a malicious program could possibly hide
its presence from security software, which usually checks these keys
for malicious use.

The use of such a key could not stop the security software from
scanning the file system and finding the programs being loaded through
these registry keys, and it could not stop intrusion prevention and
other behavior-monitoring software from taking note of the fact that a
value was being written to the Run keys, an action that usually raises
red flags.

The Internet Storm Center notes many programs that cannot read the
keys, including Lavasoft's Ad-Aware (no version specified), the
Microsoft AntiSpyware Beta and WinDoctor v. 7.00.22. Other tools,
including other versions of Microsoft registry tools, behave
appropriately.

The Internet Storm Center page also includes links to a free tool that
searches a computer's registry for value names that could cause the
problem noted in the reports.

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036448.html
[2] http://isc.sans.org/diary.php?date=2005-08-25



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Reports: Long Registry Names Could Hide Malware, InfoSec News <=
Previous by Date:  [ISN] Revised CICA 5900 standards and CICA 5310 (services organizations) set for approval on January 1st, 2006, InfoSec News
Next by Date:  [ISN] IT draft law deletes?"hacking" in India , InfoSec News
Previous by Thread:  [ISN] Revised CICA 5900 standards and CICA 5310 (services organizations) set for approval on January 1st, 2006, InfoSec News
Next by Thread:  [ISN] IT draft law deletes?"hacking" in India , InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]