Windows Flaw May Let Hackers Hide Code From AV Scanners
"Once we started to play with [the vulnerability], the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32," wrote ISC handler Daniel Wesemann on the group's alert site. "Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well."
Other security professionals agreed. "This newly-discovered vulnerability can hide other entries in the registry, hiding malicious code 'autorun' entries, for example, behind this long registry key," said Mitchell Ashley, the chief technology officer of Colorado-based StillSecure.
"I'd compare it to the early days of buffer overflow of DNS and Bind requests," added Ashley. "If your security software doesn't catch this, you're wide open today. If it can't find evidence of malware, you could very easily be the next target."
Extra-long key entries (those greater than 254 characters) are mishandled by the Windows registry editor, and essentially "disappear" from view, as do others added to the key after that because the editor stops at that too-long key, thinking it is the last in the section.
Worse, many malicious code scanners have a similar blind spot, and also stop processing the registry for anomalous entries when they come to a too-long key.
The technique would let attackers add their malicious software to the "Run" registry key (at "HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run") which lists the programs or components that automatically launch at Windows' boot. Typically, worms post changes to the registry there so that they run at Windows startup; anti-virus and anti-spyware scanners often look for these unanticipated changes to the registry to detect fishy activity.
"It's crucial that [scanners] be able to see into the registry," argued Ashley.
The weakness, said Secunia, affects Windows 2000 and XP, including fully patched XP SP2 systems.
"We have started to see some possible reports of malware which utilizes this concealment technique in the wild," said the ISC in its Friday bulletin written by handler Robert Danford. "We expect this trend to continue over the life-cycle of the next few weeks as vendors patch their products as necessary to allows these keys to be visible to their scan engines."
Ashley confirmed that his firm had found code in the wild that was exploiting the vulnerability, but added that no infections had been reported as of mid-day Friday.
ISC has also assembled a partial list of those scanning engines which detect the "invisible" registry keys, and those which don't (or do, but crash while doing so).
Among the former, claimed the ISC, are StillSecure's SafeAccess, while the latter category included Spybot Search and Destroy, Symantec's SystemWorks, and Microsoft's Windows AntiSpyware.
"Although the vulnerability is in Windows, I think it's a programmatic error that other [security vendors] have made in limiting the length of registry keys they examine," said StillSecure's Ashley as he touted SafeAccess' ability to handle the bug. "We built our product to accommodate unusual or anomalous entries. To keep up with attackers, you definitely have to think outside of the box, because they do."