Comments on: Malware IN Registry a.k.a If It Can’t Be Done, Why Am I Looking At It? http://www.cutawaysecurity.com/blog/archives/622 Cutaway's Observations, Opinions, Rants, Raves, Tantrums, and Tirades Wed, 02 Jun 2010 22:30:56 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: MHL http://www.cutawaysecurity.com/blog/archives/622/comment-page-1#comment-31171 MHL Sun, 02 Aug 2009 01:47:11 +0000 http://www.cutawaysecurity.com/blog/?p=622#comment-31171 Hi Don, nice write up. The Clampi/Ligats trojan stores DLLs in the registry, but they're encrypted so its not so easy to identify by looking for MZ. Here's a reference if you're interested: http://mnin.blogspot.com/2008/11/locating-hidden-clampi-dlls-vad-style.html Hi Don, nice write up. The Clampi/Ligats trojan stores DLLs in the registry, but they’re encrypted so its not so easy to identify by looking for MZ. Here’s a reference if you’re interested: http://mnin.blogspot.com/2008/11/locating-hidden-clampi-dlls-vad-style.html

]]> By: cutaway http://www.cutawaysecurity.com/blog/archives/622/comment-page-1#comment-31169 cutaway Wed, 29 Jul 2009 14:23:10 +0000 http://www.cutawaysecurity.com/blog/?p=622#comment-31169 @John, I don't think we have seen the last of the possibilities with the registry. I do like to see people trying to think of the next things that can occur. This helps us be proactive with our tool development. As usual this is going to be a reaction game. What I would really like to see Microsoft do is put out a good document on how to protect the registry. Although I must admit I have not actively searched for one. Looks like I have a new task. Thank you, Don @John,

I don’t think we have seen the last of the possibilities with the registry. I do like to see people trying to think of the next things that can occur. This helps us be proactive with our tool development. As usual this is going to be a reaction game. What I would really like to see Microsoft do is put out a good document on how to protect the registry. Although I must admit I have not actively searched for one. Looks like I have a new task.

Thank you,
Don

]]> By: cutaway http://www.cutawaysecurity.com/blog/archives/622/comment-page-1#comment-31168 cutaway Wed, 29 Jul 2009 14:19:00 +0000 http://www.cutawaysecurity.com/blog/?p=622#comment-31168 @Stefan, I believe you are correct but have not verified. I was not trying to single Symantec or Microsoft out. This could be a size issue, or a system stability issue, I am not completely certain. But that is why we write tools to assist AV. More on this later. Thank you, Don @Stefan,

I believe you are correct but have not verified. I was not trying to single Symantec or Microsoft out. This could be a size issue, or a system stability issue, I am not completely certain. But that is why we write tools to assist AV. More on this later.

Thank you,
Don

]]> By: Stefan http://www.cutawaysecurity.com/blog/archives/622/comment-page-1#comment-31167 Stefan Wed, 29 Jul 2009 12:42:59 +0000 http://www.cutawaysecurity.com/blog/?p=622#comment-31167 Please correct if I'm wrong but wrt AV products "not actively scan[ning] the whole registry looking for malicous behavior" I'm fairly sure that there currently isn't ANY AV vendor which does this. Anyone? Please correct if I’m wrong but wrt AV products “not actively scan[ning] the whole registry looking for malicous behavior” I’m fairly sure that there currently isn’t ANY AV vendor which does this.

Anyone?

]]> By: Interesting Information Security Bits for 07/28/2009 | Infosec Ramblings http://www.cutawaysecurity.com/blog/archives/622/comment-page-1#comment-31164 Interesting Information Security Bits for 07/28/2009 | Infosec Ramblings Tue, 28 Jul 2009 21:51:47 +0000 http://www.cutawaysecurity.com/blog/?p=622#comment-31164 [...] a couple other posts that are worth reading too. This is very cool…scary…but very cool. Security Ripcord >> Blog Archive >> Malware IN Registry a.k.a If It Can’t Be Done,... Tags: ( registry malware [...] [...] a couple other posts that are worth reading too. This is very cool…scary…but very cool. Security Ripcord >> Blog Archive >> Malware IN Registry a.k.a If It Can’t Be Done,… Tags: ( registry malware [...]

]]> By: John McCash http://www.cutawaysecurity.com/blog/archives/622/comment-page-1#comment-31163 John McCash Tue, 28 Jul 2009 16:15:01 +0000 http://www.cutawaysecurity.com/blog/?p=622#comment-31163 A coworker and I just had an interesting discussion about this... I take it in your case the malware in question was just writing itself from the registry to disk and then executing from there. However I suspect that if somebody could find a flaw in a routine that reads data from the registry, (Say an unchecked string buffer? No of course not. That could never happen.) they could probably use it to bootstrap code out of the registry that wouldn't have to reside elsewhere on disk at all. A creepy thought, no? A coworker and I just had an interesting discussion about this… I take it in your case the malware in question was just writing itself from the registry to disk and then executing from there. However I suspect that if somebody could find a flaw in a routine that reads data from the registry, (Say an unchecked string buffer? No of course not. That could never happen.) they could probably use it to bootstrap code out of the registry that wouldn’t have to reside elsewhere on disk at all. A creepy thought, no?

]]>