Windows Registry - Nasty Games of Hide & Seek

Posted Friday, August 26, 2005 5:07 PM by hwaldron

ISC LogoFor the past 2 days, the Internet Storm Center (ISC) shared a warning on long registry key values that can be made hidden from REGEDIT by malware making removal more complicated than in the past. 

The ISC is offering a free Registry Search Tool.  This neat new tool will locate the registry key values greater than 255 characters in length.

Windows Registry - Nasty Games of Hide & Seek
http://isc.sans.org/diary.php?date=2005-08-24
http://isc.sans.org/diary.php?date=2005-08-25

ISC Registry Search tool -- locates long key values
http://isc.sans.org/LVNSearch.exe

QUOTE: We have started to see some possible reports of malware which utilizes this concealment technique in the wild.  Products that have been reported to be able to query/report/delete/etc these keys:

AppSense Environment Manager
HiJackThis v1.99.1 (SCAN function)
HiJackThis v1.99.2 (in development)
Stillsecure SafeAccess
Sysinternals Autoruns (mixed reports)
Regedt32 (Win2k)

Comments

No Comments