Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-25 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Updated Windows Registry Concealment Info;Symantec AV Vulnerability

Published: 2005-08-25
Last Updated: 2005-08-29 15:57:52 UTC
by Robert Danford (Version: 1)
0 comment(s)

Updated Windows Registry Concealment Info

First of all thank you once again to the scores of people who have sent us data, suggestions, code, test results, etc on this issue. We could not provide what we do to the community without this collective worldwide effort.

We have started to see some possible reports of malware which utilizes this concealment technique in the wild. We expect this trend to continue over the life-cycle of the next few weeks as vendors patch their products as necessary to allows these values to be visible to their scan engines.

With the help of you all we have been collecting reports of what products/versions deal with this issue well or not at all. If you see any inaccuracies or omissions please let us know.
Please don't take this as product bashing. Everyone we've talked to is interested in handling this issue and getting patches out as necessary. However we think its important for users to know if they may have a blindspot in their local system security. I think the take home here is that a malware scanning utility (be it Anti-Virus, Anti-Spyware, etc) that can watch over your registry for you is a critical part of keeping safe and that it will be important to many to watch for product updates in the coming weeks and to get updated (not to mention regular updates, sigs, etc)

Its important to note that many products have several registry-related functions. And each function does not necessarily work as well as others in regards to this issue.

Also version information was not included in all submissions. So if you see a product listed here without a version. It means it might be a good idea to double check, but don't freak out.
Also its important to note that this information is being provided in the hopes you may find it useful. It doesn't imply an opinion, endorsement, etc of SANS or the ISC. Also this list is by no means exhaustive. We're all volunteers just trying to lend a hand and there's only so many hours in the day to analyze, evaluate, test, etc

Products that have been reported to be able to query/report/delete/etc these values:

AppSense Environment Manager

HiJackThis v1.99.1 (SCAN function)

HiJackThis v1.99.2

StillSecure Safe Access

Sysinternals Autoruns (mixed reports)

Regedt32 (Win2k)

Spybot S&D

Products that have been reported to not be able to see this values (at least in some versions) or to behave unexpectedly (crash, etc)


Autoruns 8.13

MS AntiSpyware Beta

HijackThis v1.97.0.7

HiJackThis v1.99.0

HiJackThis v1.99.1* (Generate StartupListLog)

Msconfig (WinXP)

Norton SystemWorks 2003 Pro

RegAlyzer 1.1


reg.exe (under some circumstances)

Registry Explorer

WinDoctor v. 7.00.22

Helpful tools/Tips

Cygwin regtool

(example: regtool list /HKLM/Software/Microsoft/Windows/CurrentVersion/Run)

Cygwin ls

(example: ls -l /proc/registry/HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run)

Perl's Win32::TieRegistry


System Information tool (winmsd.exe)

export registry, make your edits and then re-import

*Special Note: Merjin has been working on this class of issues and keep an eye out for v1.99.2 of HijackThis for full support in dealing with values with long names

And the best for last. Our own Tom Liston has created, out of the kindness of his heart and his deep concern for all of humanity, a recursive registry scanner which will report on values with names in excess of 254 characters. Enjoy! And please let us know if you start finding all sorts of long entries. It will help us get a handle of the prevalence of this issue and we'll provide updates here in the diary as we figure out whats going on so hopefully the world is a little safer place.

FILE: (3584 bytes)




If I leave anyone's name out please forgive me and/or flame me.

A big thanks to:

Aaron, Adam, Alan, Bill, Daniel, Eduardo, Frank, Iain, John, Juanma, Linford, Luis, Merjin, Merrill, Michael, Niels, Randall, Robert (not me, another one), Simon, Tom, and all of the folks on the DShield Forum.

Thought I was kidding didn't you. Thats just folks that have helped us out in the last 24 hours.

You guys rock.

Symantec AV Vulnerability

The Symantec AntiVirus Corporate Edition HTML client help function uses HTML help, the Windows help interface, to provide support to the client user. A non-privileged client user can manipulate the help function to access files on the system with local SYSTEM privileges.

[from Symantec]


Robert Danford

SANS ISC Handler on Duty

0 comment(s)
Diary Archives