Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Nasty Games of Hide and Seek in the Registry; Nepenthes

Published: 2005-08-24
Last Updated: 2005-08-29 12:31:50 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Hide


What started like a nice and quiet day ended with the potential for lots of nasty surprises. A reader alerted us to a vulnerability note published by <A HREF="http://secunia.com/advisories/16560/">Secunia</A> that on first sight did not appear to be overly scary. Once we started to play with it, though, the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well.
[Pause, to give your wheels some time to spin]
Yes. This allows to add hidden entries under the famous HKLM\Software\MS\Windows\CV\Run. Entries that you can't see with regedit, but that will just as faithfully get run at startup.

Seek


For a little good news, while regedit is completely blind, the command line "reg" utility can see the entries, apparently.

C:\>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

is the command to use. If it shows you start-up entries that you can't see in regedit, you just found a glitch in the Matrix.



Another faithful tool that doesn't lie like regedit is the tried and true "Autoruns" from Sysinternals: http://www.sysinternals.com/utilities/autoruns.html

Zapp


Once you've found them, getting rid of the offending registry entries isn't too easy, either. What worked for us during the tests was again "Autoruns" from Sysinternals, presumed you use the current (8.13) version. Older versions seem to occasionally choke on the long value name. Another approach one of the handlers used successfully was to do a "reg export" on the command line of the entire "Run" key. Then he manually deleted the entire "Run" key from the registry, edited the exported file to remove the offending values, and re-imported the reg file, thus recreating the "Run" key.

Of course, the usual disclaimer applies when you are monkey-wrenching the registry. You have been warned.

Let us know!


If you come across a tool that does or doesn't show or remove these hidden values, please let us know. We'll update the diary accordingly.


Update 20:21 UTC: Spybot S&D, AdAware and MS AntiSpyware Beta don't seem to find anything offending with the long value names. "Show Autostarts" of MS AntiSpyware Beta does not list the hidden values (values added after one with a long name). Spybot S&D TeaTimer will intercept these values when they are being added.

Nepenthes


Every now and then, news like the news above end up pushing other good stuff out of the diary. Thus, just briefly: If you like "mwcollectd", the automated malware sample collector, chances are you'll like Nepenthes even more. http://nepenthes.sourceforge.net/



-----------------

Daniel Wesemann

(with lots of research help from the entire handler gang)
Keywords:
0 comment(s)
Diary Archives