Malware Can Be Hidden In Registry Keys

SAN FRANCISCO ? Script kiddies and other malcontents can hide their malicious software on a Windows PC by using overly long registry keys, security experts warn.

These keys are stored in the Windows Registry, a core part of the operating system that stores PC settings. Some antivirus and anti-spyware products scan the registry for malicious programs, but this new weakness allows hackers to hide the presence of their applications, according to security vendor StillSecure, in an interview with CNET.Com.

“It can be used to hide malicious programs on a system that would go undetected by security software or registry scanning tools,” said Mitchell Ashley, chief technology officer at StillSecure, which is based in Louisville, Colo. Detection and cleanup could be difficult to impossible, according to StillSecure.

The SANS Internet Storm Center, which tracks Internet threats, on Thursday listed some applications that, according to reports it received, can be tricked by the longer registry keys. The list includes AdAware, Microsoft’s Windows AntiSpyware, HijackThis, Norton SystemWorks 2003 Pro, Microsoft’s Windows Registry Editor and WinDoctor.

“It is important for users to know if they may have a blind spot in their local system security,” SANS associate Robert Danford wrote on the SANS ISC Web site. “The take-home here is that…it will be important to many to watch for product updates in the coming weeks.” Danford also works for the security alert team at StillSecure.

Of most concern are the so-called “run” keys in the registry. These keys are used to start applications when a Windows PC boots. Microsoft’s Registry Editor and several popular security programs won’t detect the overly long entries in the Windows Registry, yet the applications will still start, according to StillSecure’s Ashley.

“It would be very easy for a spyware programmer to hide a keystroke logger on your machine using this technique,” he said.

Microsoft is investigating the issue, a company representative said in a statement e-mailed on Friday. The software maker notes that an attacker can’t hide anything without first breaking into a system.