Chapter 1: Windows Attacks
Overview
Sixth century B.C. Chinese war philosopher Sun Tzu is popularly credited with first publishing the "Know Thy Enemy" battle strategy. In order to set up a secure computer defense, you have to define the enemy correctly. This is where many computer security defense courses, books, and articles go wrong. They spend the majority of their time telling you how to defend against the dedicated, manual attacker while either ignoring or giving improbably brief coverage to the much more realistic threat of malicious mobile code and malware networks. And if they can't define the problem correctly, how can they tell you how to successfully defend your computing environment? This chapter summarizes the various types of attacks that malware (and the dedicated hacker) can use to compromise Windows-based computers, and discusses the vulnerable areas of Windows in detail. Table 1-1, "Where Malware Hides," at the end of the chapter, is the most exhaustive list available in any publication.
| Area | Name | Function | Notes |
|---|---|---|---|
| Application | Archive files | Malware can be hidden or launched from within archive file formats. | Archive file formats, such as PKZIP, Cab, Stuff-it, and Tar, manipulate/obscure the original file and can allow malicious files to bypass detection mechanisms. Malware files can be hidden in nested archive files, and won't be detected unless detection mechanisms use recursive scanning; even then the key is how "deep" the recursive scanning will try. Denial-of-service attacks and detection bypass have been successfully caused by overly large uncompressed file names, overly "deep" directory structures, etc. Exploded archive files have also be used to overwrite other legitimate files in directories the user did not intend. |
| Application | Auto-run application files | Malware can launch from any auto-running file associated with a particular application. | Examples include MS-Office auto-run macros. Archive files can also have auto-run files executed after the archive is opened. |
| Application | Embedded or linked files | Many applications and their file formats allow other document types to be embedded/executed. | For instance, MS-Word files can have MS-Excel files embedded that are automatically executed when the Word file is opened. |
| Application | Microsoft Word | Embedded scripting can be used to manipulate remote file systems — to write over, copy, and delete files on the system which opened the MS-Word file. | It has been demonstrated that a maliciously crafted MS-Word file can secretly send a named document to a remote intruder. |
| Application | Cross-site scripting (XSS) | HMTL-based forms and e-mail allow malicious scripts to be embedded by a rogue hacker and executed on other computers that innocently view the HTML code. | Very common malware vector. Most HTML-based e-mail services have been the victim of one or more cross-site scripting attacks. Has also affected many web sites, blogs, and databases. Can only be defeated when the HTML-based service prevents the insertion of malicious scripting into input fields that are later displayed to other viewers. |
| Application | Outlook | Malware can manipulate Outlook to send other recipients malicious e-mails. | Can be done by malware becoming an add-in (e.g., Hotbar adware). Can be done by manipulating SMTP server settings or the HOST file and intercepting sent e-mail. Can be done by adding malicious script as an unauthorized e-mail signature (ex. JS.Fortnight worm). This exploit occurs more in Outlook Express than Outlook. |
| File | Alternate Data Streams | Malware can hide itself in the Alternate Data Streams (ADS) of a Windows file. | ADS example: regularfile.exe: malware.exe If executed, ADS process (i.e., malware .exe) will appear as regularfile.exe in Task Manager. No built-in Windows utility to show ADS files, but many companies, including www.sysinternals.com and Microsoft (Resource Kits), have tools to do so. |
| File | Any executable | Viruses can modify any executable, script file, or macro file to run. | Works in DOS and any version of Windows. Microsoft system executables cannot be modified in Win ME and W2K and above because of Windows File Protection (System File Protection) in Win ME. |
| File | Autoexec.bat | Loads real-mode programs prior to Windows loading | Works with DOS, Win 3.x, and Win 9x. Replaced by Autoexec.nt in NT and later, and even then only gets called when a DOS session is started. Stored in root directory. Not commonly used by malware today. If used by malware, malware often inserted dozens of blank lines to the end of the file and pushed malicious commands below the normal viewing area of the file to fool inspectors. Win 9x looks for Autoexec when it starts, not necessarily Autoexec.bat; so an Autoexec.com or C:\Autoexec.exe could be run instead. Other variations relevant to Win 9x are C:\*.DOS, C:\*.WOS, C:\*.W40, and C:\*.APP files. |
| File | Autoexec.nt | File allows real-mode programs to be associated with specific 16-bit or 32-bit command shell sessions. | Works with NT family. Stored in %windir%\system32. Not common with malware. |
| File | AUTORUN.INF | Autorun file; runs commands or programs referenced by open= or shellexecute= after inserting (or choosing to Autoplay) media storage (i.e., CD-ROM discs). | Works with Win 9x and later, and can work with any type of media. By default, it doesn't work with most USB memory keys. Media that works with the Autorun.inf file can be modified using registry edits and third-party apps (such as TweakUI). Not widely exploited by malware, but the potential exists. By default, hard-drive volumes are enabled for Aurorun.inf processing. |
| File | Batch or Command files | Will run listed programs or commands | Batch file viruses will search for these types of files to infect. Although not rare, most malware programs do not use this vector anymore. Windows fails to verify file content when opening a .BAT, .CMD, or .PIF file, so if a raw code .EXE is renamed as any of these, then it will still run as raw code. This is not the case with .LNK file, which is a threat only in that it is a shortcut that can be used to execute other files or load web sites. |
| File | Boot.ini | File used by NT OS family to determine which OS to load and where OS is located on disk | So far, not successfully manipulated by malware, but is sometimes the target of payload damage attacks. |
| File | Bootsect.dos | DOS boot sector on NT systems that dual boot with earlier versions of Windows or DOS | Could be infected by viruses in early versions of Windows and DOS. Pointed to by Boot.ini file in dual-boot scenarios in NT and later. In reality, any type of code can be referenced to run in the Boot.ini file (e.g., Recovery Console). Not widely exploited by malware. |
| File | Command.com | Default DOS shell in Windows 9x and earlier | Could be infected by viruses in early versions of Windows and DOS. Not possible in Win ME and W2K and later because of Windows File Protection. |
| File | Config.nt | File allows real-mode programs or drivers to be associated with specific 16-bit or 32-bit command shell sessions | Works with NT family. Stored in %windir%\system32. Not common with malware. |
| File | Config.sys | Loads real-mode programs or drivers prior to Windows load | Works with DOS, Win 3.x, and Win 9x. Replaced by Config.nt file in newer OSs. Stored in root directory. Not commonly used by malware today. If used by malware, malware often inserted dozens of blank lines to the end of the file and pushed malicious commands below the normal viewing area of the file to fool inspectors. |
| File | Desktop.ini | Used to customize folder behavior. It is meant to allow users to customize folder appearance and behavior, but can be used to hide files and auto-launch programs when referred to folders are viewed. | Several worms (ex. WuKill, Rusty, Opposum, and Expobot) use Desktop.ini to launch their malicious executables when a related folder is viewed. Can be used to hide files and auto-launch programs. Desktop.ini is usually marked hidden. Folder.htt is used instead of desktop.ini when desktop is in "Web view". MSDN link: http://msdn.microsoft.com/library/default.asp?url=/library/enus/shellcc/platform/Shell/programmersguide/shell_basics/shell_basics_extending/custom.asp |
| File | DOSSTART.BAT | Would load listed realmode programs when starting a command prompt session or when booting to a command prompt session during Safe mode | Works with Windows 3.x and Win 9x family. Located in %Windir%. Superseded by registry key. |
| File | HOSTS | Used to place static DNS resolution entries | Works with Win 9x and later. Located in %windir%\System32\drivers\etc in NT and later. Malware or adware will often modify this file to redirect a user or program to a bogus location when the associated DNS entry is queried. |
| File | IERESET.INF | Used as the "initial" values when Internet Explorer is reset. Can be manipulated to place malicious entries. | Not used in the wild, yet. Proposed by Andrew Aronoff of SilentRunners.org. Default security is Read & Execute by normal users; requires Admin rights to modify. |
| File | LMHOSTS | Used to place static NetBIOS resolution entries | Works with Win 9x and later. Not commonly used by malware, but could be modified to do bogus Net-BIOS name resolution redirection. Located in %windir%\System32\ drivers\etc in NT and later. |
| File | Msdos.sys, Io.sys | Default boot files in earlier versions of Windows and DOS | Could be infected by viruses in Windows 3.x and DOS. In Win 9x, Msdos.sys is used as an editable configuration file, not as a system file. In Win 9x, the original Msdos.sys and Io.sys files are renamed Io.dos and Msdos.dos. If you boot to DOS with Win 9x, the files are renamed Winboot.sys and Msdos.w40. Could end in other extensions, including .Wos and .App. In Win 9x, if Winboot.ini exists (it is normally deleted by the OS after a completed setup), then it can override the use of Msdos.sys. Not used in NT, 2000, and later, but may be present because of upgrades or dual booting situations. Not very dangerous these days. For Win 9x, also C:\*.DOS and C:\*.W40, which toggle these into active status via the F8 boot menu's "Previous MSDOS" option. If a C:\WINBOOT.SYS exists, it is automatically copied over C:\IO.SYS when a Win 9x boots; As far as I know, this hasn't been used by malware, much to everyone's relief. If a C:\WINBOOT.INI exists when a Win 9x boots, then it is processed instead of C:\MSDOS.SYS. |
| File | Normal.dot or any .dot file | Microsoft Word document template | Used by macro viruses. Not commonly manipulated anymore because default MS-Office security minimized success of macro viruses. |
| File | Ntldr | NT family OS boot code loader | So far, not successfully manipulated by malware, but is sometimes the target of payload damage attacks. Protected by Windows File Protection. |
| File | OLE2 document trick | OLE2-formatted documents can be executed no matter what their file extension | Many applications, especially Microsoft applications, use the OLE2 file format, including Microsoft Office applications, MSHTA, SHS, and SHB files. Files with an OLE2 format will be run by the related application (as indicated by the OLE2 file's embedded OLE2 Root Entry CLSID value) regardless of the file name or extension. Thus, harmless.txt could really be a macro virus or hta malware script. The OLE2 file format is also known as Compound Document file format. OLE2 documents are essentially their own little file systems ("file system within a file"), resembling something like a FAT disk subsystem with its own root entries and subsections and files. The OLE2 trick is used in the wild by spammers, etc. The Root Entry CLSID can be found in OLE2 files following the string label R.o.o.t. .E.n.t.r.y. |
| File | Rasphone.pbk | Can be used to modify dial-up network settings, including which DNS servers (IpDnsAdress and IpDns2Address) the dial-up connection uses and to place unauthorized long-distance calls. | Located in %UserProfile%\Application Data\Microsoft\Network\Connections\Pbk folder. Don't forget to look in AllUsers profile. Trojans and malicious "Dialer" programs frequently manipulate this phonebook file, including Flush.D trojan and HotPleasure Dialer. Can be present with Windows 9x and above PCs. Key is not present (or a threat) unless you use Dial-up networking. |
| File | SYSTEM.INI [boot] scrnsaver= | If referenced by 16-bit Windows applications, will load the screensaver listed | Works with Windows 3.x and Win 9x family. Located in %Windir%. Screensaver files usually end with .SCR, .EXE, or .DLL extensions. Common malware vector in the Win 9x days. Replaced by registry entry in the NT family. |
| File | SYSTEM.INI [boot] shell= | If referenced by 16-bit Windows applications, will load command shell listed (e.g. explorer.exe). | Works with Windows 3.x and later. Located in %Windir%. Only referenced by 16-bit Windows programs. Superseded by registry entries in NT and later. |
| File | WIN.INI [windows] load=, run= | If referenced by 16-bit Windows applications, will execute programs listed. Run= loads programs in maximized state, load= runs programs in minimized state | Works with Windows 3.x and later. Located in %Windir%. Only referenced by 16-bit Windows programs. Superseded by registry entries in NT and later. |
| File | Wininit.ini | Contains pending file operations (e.g., rename, copy, etc.) to be executed on the next reboot of Windows | Works with Win 9x and NT, but not in W2K or later. Located in %windir%. Replaced by registry key in later version of Windows. For more information, see http://support.microsoft.com/kb/140570. |
| File | Winsock.dll or Winsock2 service provider dlls | Used by Windows for network communications | Often used by trojans for their dirty work. Usually located in C:\%Windir%\System32 and protected by Windows File Protection in Win ME and W2K and later. Trojan versions may be located elsewhere (e.g., %Windir%\System or %Windir% folder). Trojan Winsock service providers can be added to Windows and can manipulate any network communications. Can be removed by Winsock service provider cleaners, such as Lsp-fix. |
| File | WINSTART.BAT | Would load listed real-mode programs prior to Windows loading or when user exited command prompt session. | Works with Windows 3.x and Win 9x family. Located in %Windir%. Superseded by registry key. |
| Folder | %Windir%\Favorites\*.url %UserProfile%\Favorites\*.url %Windir%\Favorites\Links\*.url %UserProfile%\Favorites\Links\*.url | Lists Favorites in Internet Explorer | Often manipulated by adware, but has also been manipulated by malware |
| Folder | %Windir%\Start Menu\Programs\Startup %Windir%\All Users\Start Menu\Programs\Startup %USER PROFILE%\Start Menu\Programs\Startup %ALLUSERS PROFILE%\Start Menu\Programs\Startup | Default Startup folders; any program or command listed in one of these folders will be automatically executed when the user logs on | Works with Win 3.x and later, depending on default location for the particular version of Windows. Default is C:\Documents and Settings\%userprofile%\Start Menu\Programs\Startup in Windows 2000 and later. Default is C:\%windir%\%user profile%\Start Menu\Programs\Startup in NT. Default is %windir%\Start Menu\Programs\Startup in Win 9x family. Startup folder location determined by registry key. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. |
| Folder | Recycler | Recycle Bin's temporary storage location for deleted files and folders | Often used by malware to store malicious code. Earlier versions of antivirus scanners would often skip the Recycle Bin storage area, and hence, escape detection. |
| Folder | System System32 %Windir% | Malware often writes itself to Windows system directories | Non-admins usually do not have permissions to write to System folders. In Win ME and W2K and later, because of Windows File Protection, legitimate system files cannot be overwritten, deleted, renamed, or modified, but new files can be written if the program has Write access. By default, most users have Read & Execute permissions to System folders. |
| Folder | Tasks | Lists Task Scheduler Tasks | Works with Win 3.x and later. Located in %Windir%. |
| Folder | Temporary Internet Files | Malicious files are often stored/hidden in Internet Explorer's Temporary Internet Files (TIF) folder. | In 2000 and later, TIF is C:\Documents and Settings\<logonname>\Local Settings\Temporary Internet Files. Can be modified in Internet Explorer. If malware exploits System account (i.e., using a buffer overflow) and uses IE or Wininet APIs, the TIF location will be located under the Default User or Network Service profile directories (which are hidden by default). Some web browsers will have their own web caches that may hold the "as-arrived" form of malware dropped by web sites, as well as potentially exploitable application startup axes and/or settings locations. |
| Other | ActiveX Control | Installed ActiveX Control | If already installed, may be able to re-install other malware/spyware automatically even after removal. May need to set Kill Bit to defeat. |
| Other | Executable pathway | The PATH statement determines which paths OS should try if the file is not found in the default directory it was called from (i.e., Frog.exe vs. C:\Program Files\Frog.exe) | Was a bigger problem in the latter days of DOS (.bat, .com, .exe). Some malware programs (ex. Spawner or twin viruses) rely on defects in the way Windows executes files when only the relative file name or path is given (ex. Frog.exe vs. C:\Program Files\Frog.exe). The PATH statement can be set by the DOS PATH command (located under Environment variables in NT family) or by the registry key. In Win 9x and earlier, autoexec.bat file could be modified to change the PATH statement. Can still be a problem today. For example, some malware places itself in default application directories, which the application executes instead of the legitimate program executable. One trojan placed its malicious code in the user's My Documents folder. Because the malware was named after a legitimate MS-Word executable, MS-Word would always load it first instead of the legitimate version located under Program Files. More detail on path-spoofing: Set statements in Config.sys can define the PATH too, as can DOSStart.bat and DOS mode .pif for Win95 and Win98. Additional extensions may be set up as "executable" via file associations, and precedence over-ride set by PathExt environment variable and registry setting in NT. Registry AppPaths, and possibly other locations where code overrides can be effected, may offer opportunities to spoof "companion" code into place. FaberToys (www.faberbox.com) is a free tool that includes program aliases as one of the integrations it lists. Any executable can be run as an associated "batch file" via a .PIF. |
| Other | Hidden files | Hidden (or system) files/folders will not appear to casual searches. | Dir *.* /ah /s will search and reveal all hidden files. Many legitimate files are marked as hidden or system. Mostly concerned with hidden executables, script, or batch files in root, %Windir, or System32. You can use Windows Explorer or Attrib.exe to unhide files. |
| Other | System Restore | XP/ME Restore feature may inadvertently restore malware located in older restore copies. | Most AV and malware remove software programs suggest turning off this feature prior to any active cleanup. Enabled by default, and usually a good thing to have running unless you need the storage or CPU resources. Can be enabled or disabled manually, by regedit, or by GPOs. Note that WinME's Wininit.exe has inherent SR functionality that will populate the SR subtree even when SR has been disabled. |
| Other | Task Scheduler | Will run listed programs and commands | Sometimes used by malware to reload malware at a predetermined time interval or to gain initial access. Some scheduled tasks are run in the System context, allowing privilege escalation attacks. |
| Other | Trusted Publisher | Vendors listed here can execute programs without prompting for end user approval. | Be very cautious about which vendors are listed here, as it allows them to execute any program without approval from the end user. |
| Other | Unusual folder/file names | Hackers and malware often use unusual names to hide malicious files and folders. | Some tricks fool Windows-GUI, some command prompt, some both. Be wary of soundalikes (svchosts.exe, win.exe, win32.exe, service.exe, users32.dll, etc.). Be wary of legitimate file names located in the wrong directory (e.g., svchost.exe located in %windir% instead of System32). Overly long file names that make the file name appear to be blank or push the file name or extension offscreen. Files with multiple extensions (e.g., malware.txt.ext). Files with incorrect extensions can still be executed at the command prompt. Files with nonstandard character sets (http://weblogs.asp.net/robert_hensing/archive/2005/01/10/350359.aspx). Isoglyph "puns," e.g., reversed-case EXPiORER.EXE, Unicode tricks. Files with incorrect extensions (i.e., a readme.txt that is really a .dll file or vice-versa). In Windows 2000 and NT, ADS code is shown in Task Manager with the parent file's name instead, and may spoof past firewall per-application monitoring. Various registry settings will cause code in an incorrectly extensioned file to be run as raw code, even when the Windows generic "open" would not have failed to exclude it. Registry content that is "too long" will not be shown via Regedit.exe but will run anyway; LVNSearch (http://isc.sans.org/LVNSearch.exe) is a free tool that seeks such exploits. Files with invalid dates (i.e., before 1/1/1980 or well into the future). Windows Search GUI's date filter will not find files with dates before 1/1/1980. |
| Other | URL Monikers | URL Monikers can be added to Internet Explorer to load associated programs when a particular keyword is typed. | Internet Explore can be modified to allow keywords typed in the URL to launch associated programs. Also known as URL handlers. For more information, see http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/monikers.asp Malicious coded web sites or HTML e-mails can launch and maliciously manipulate local programs using URL monikers. For example, AOL's Instant Messenger program, AIM, installs a URL handler called AIM://. It has been used to load buffer overflows known to be successful with particular programs. The associated program need only be installed, not even used, to be launched. HKCR\<urlhandler>\shell\open\command is the registry location for URL handlers. |
| Registry | HKCR\<fileext> NeverShowExt | Real file extensions can be hidden. | Although most users know that Windows allows registered file extensions to be hidden (the default), most users don't know about the "super hidden" extension attribute, which allows selected files (dozens of file types, including SHS, SHB, SHC, LNK, PIF, XNK, and several shortcut and CLSID files) to hide their extensions even if you told Windows not to hide file extensions. The super hidden file attribute can be enabled by creating a NeverShowExt registry entry under HKCR\<fileext>. To disable, search for and delete any occurrence of the NeverShowExt key under HKCR. Note that Never-ShowExt also overrides Explorer's option to "Show file name extensions for registered file types." |
| Registry | HKCU\Control Panel\Desktop Scrnsave.exe= | Will load listed programs or commands when the screensaver is configured. | Not commonly used by malware. Used by Petch trojan (http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.b.html). Screensaver is significant in that it is applied in Safe mode, even Safe Mode Command Prompt Only. This could allow malware to activate during long unattended scanning procedures, although this particular trick appears yet to be exploited by malware. |
| Registry | HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\Internet Explorer\Main\Search Page HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar | Configures Internet Explorer's Startup page or search bars. | Commonly manipulated by adware and spyware |
| Registry | HKCU\Software\Microsoft\Internet Explorer\SearchURL | Redirects any URLs typed in Internet Explorer to the defined URL. | Commonly manipulated by adware and spyware |
| Registry | HKCU or HKLM \Software\Internet Explorer\Explorer Bars | Malicious adware\spyware could create new menu bars in Internet Explorer. | Allows new entries to be made to standard menu bars. Available in IE 4.x and later. Commonly manipulated by adware and spyware. Menu bar will be a CLSID subkey listed under Explorer Bars. Used by Hotbar adware (http://securityresponse.symantec.com/avcenter/venc/data/adware.hotbar.html) |
| Registry | HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{} HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{} | …93 defines a vertical Explorer bar …94 defines a horizontal Explorer bar | Commonly manipulated by adware and spyware |
| Registry | HKCU\ or HKLM\Software\Internet Explorer\Extensions | Adware/spyware can add buttons to IE that connect directly to malicious programs and scripts. | Available in IE 5.x and later. http://msdn.microsoft.com/library/default.asp?url=/workshop/browser/ext/overview/overview.asp Commonly manipulated by adware and spyware, including Adblock. |
| Registry | HKCU\Software\Microsoft\OLE | Used to register Windows OLE programs | Available with Win 3.x and later. Not a common malware vector. Used by Bropia trojan (www.sarc.com/avcenter/venc/data/w32.bropia.j.html). |
| Registry | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load | Runs commands or programs after the user logs on | Works with all versions of Windows NT and later. Replaces Win 9x's Win.ini Load= functionality. Executes programs in minimized state. |
| Registry | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run | Runs commands or programs after the user logs on | Works with all versions of Windows NT and later. Replaces Win 9x's Win.ini Run= functionality. Executes programs in maximized state. |
| Registry | HKCU or HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKCU or HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell | Runs commands or programs after the user logs on | Works with all versions of Windows NT and later. Replaces Win 9x's System.ini Shell= functionality. Should only have 'Explorer.exe" as a data value, if any value is displayed. Should not include a directory path. Some malware points to a bogus Explorer.exe (not located in %Windir%. Should not have additional programs before or after Explorer.exe unless a program is known to be legitimate. |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System | Runs programs after the user logs on | Key is present by default, but assigned no value. |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman | Runs programs in Task Manager after the user logs on | Key not present by default |
| Registry | HKCU or HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Runs programs after the user logs on, when the Windows default shell (explorer.exe) runs for the first time during every logon | Works with W2K and later. Not unusual to find legitimate programs, such as Microsoft's ctfmon.exe, listed here. Does not require reboot. Does not execute commands if explorer.exe is executed manually. W2K will run any subkey with any program listed under this key. Discovered by Andrew Aronoff of SilentRunners.org. |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell | Runs programs or commands after the user logs on, but before the desktop is displayed | Works with W2K and later. Shell subkey may not exist by default. Does not require reboot after modification. If malware creates the Shell key, and does not launch the Windows shell too, the desktop will not be visible. You can still use Task Manager to run commands, including regedit.exe. A similar System key exists under HKLM\; but the Shell subkey does not get executed. |
| Registry | HKCU or HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Runs programs or commands after the user logs on | Works with all versions of Windows 9x and later. Not run in Safe mode unless the value is prefixed by an * (asterisk). Often contains many legitimate programs. The most popular registry auto-run key for malware, by a huge percentage. W2K will run any subkey with any program listed under this key. Discovered by Andrew Aronoff of SilentRunners.org. Non-admin users cannot modify HKLM version. Run key also appears in the HK_U\.Default registry profile area, but does not copy over to new profiles. Cannot be disabled by holding down the Shift or Alt keys as sometimes reported. |
| Registry | HKCU or HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Runs programs or commands after the user logs on for the first time only after the key is created. | Works with all versions of Windows 9x and later. HKLM\RunOnce runs entries synchronously (in undefined order) — there is a defined order and all other keys and processing must wait for this key to process and clear before they can load. All other Run keys run entries asynchronously, which means they can load on top of each other. HKCU version will run once for any user given the key. HKLM version will only run the value for users with admin permissions to key. Regular users will not run the value, although they can read it. RunOnce key also appears in the HK_U\.Default registry profile area, but does not copy over to new profiles. Non-admin users cannot modify HKLM version. Not run if in Safe mode in W2K and later unless the value name begins with an asterisk. If an exclamation point begins the key value, then the key will not be deleted until successful completion of the program or command. Holding down the Shift key does not prevent execution. W2K will run any subkey with any program listed under this key. Discovered by Andrew Aronoff of SilentRunners.org. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup | Runs programs or commands after Setup's first-boot activities or can be launched by the Add/Remove wizard when the user logs on for the first time. (Can be stored as part of the Default Users profile.) | Works in all versions of Windows. Not run if in Safe mode. Holding down the Shift key does not prevent execution. If an exclamation point begins the key value, then the key will not be deleted until successful completion of the program or command. |
| Registry | HKCU or HKLM \Software\Microsoft\Windows\CurrentVersion\ShellService ObjectDelayLoad | Runs commands or programs after the user logs on, although typically points to the CLSID of the associated .DLL file. Links programs to explorer.exe process. | Legitimate programs often located here, including Microsoft's webcheck.exe and systray.exe. HKCU is more popular than HKLM. Data value is CLSID of associated program as registered in HKCR\. Download.Ject trojan, Spyware Eblaster (http://securityresponse.symantec.com/avcenter/venc/data/spyware.eblaster.html) and the Webber trojan (www.sophos.com/virusinfo/analyses/trojwebbera.html) use this key. |
| Registry | HKCU or HKLM\Software\Policies\Microsoft\Windows\System\Scripts | Runs scripts on computer startup/shutdown or user logon/logoff | Works with Windows 2000 and later. Scripts may be passed down by group policies and located in different registry keys. Not a common location for malware. |
| Registry | HKLM\Software\Classes\<filettype>\shell\open\command HKCR\<filettype>\shell\open\command Examples: HKLM\Software\Classes\batfile\shell\open\command HKLM\Software\Classes\comfile\shell\open\command HKLM\Software\Classes\exefile\shell\open\command HKLM\Software\Classes\htafile\shell\open\command HKLM\Software\Classes\piffile\shell\open\command HKLM\Software\Classes\ShellScrap\shell\open\command | Can be modified to run additional commands or programs when a particular file type is executed | Works on Windows 9x and later. HKLM\Software\Classes\<filetype> and HKCR\<filetype> are aliases of each other. If you change the value in one, you change it in the other. Most common malware modifications listed, although any file type can be modified. Most common modification is made to the exefile type. For example, Value should always be: "%1" %* PrettyPark worm (http://securityresponse.symantec.com/avcenter/venc/data/prettypark.worm.html) changed value to: FILES32 .VXD "%1" %* Whenever an exe file was executed, it would execute the malicious Files32 .vxd worm program, too. If the entire data value is deleted instead of the original value being replaced, it causes execution problems with exe files. In XP, in that HKCR is no longer a simple alias for HKLM\Software\Classes, but an overlay of the per-user Classes over this. This allows per-account file associations to be effected, including that of the Administrator account. Exploits can be made at two levels: at the linkage between .ext and file type (e.g., directing .EXE away from its normal exefile association) or by altering the actions defined within the file type. Some file association contexts default to the action called "open," while others look to which action is named as "default". More elaborate file association intrusions can be crafted via CLSIDs; in addition, other shell extensions can be added that will kick in as part of the namespace (left pane in Explorer), or as "persistent handlers" when the contents of folders are listed (right pane in Explorer). |
| Registry | HKCU or HKLM\Software\Microsoft\Active Setup\Installed Components\<program's name or CLSID> Loads programs on PC startup | Works with Windows 98 and later. Look for Stubpath= value. | Contains many/mostly legitimate programs. Common method used by malware; for example, Prorat trojan (www.sophos.com/virusinfo/analyses/trojproratd.html). HKCU doesn't usually launch anything. The HKLM Version value is compared at launch to the Version value under HKCU. If the HKLM value is greater, the executable is launched and the HKCU Version value is updated. At next boot, the executable doesn't launch again unless the HKCU Version value is deleted or the HKLM value is incremented. (Thanks to Andrew Aronoff of SilentRunners.org) Difficult to discern what is legitimate vs. malicious in this key. |
| Registry | HKCU or HKLM\Software\Microsoft\Command Processor\Autorun | Runs program or command when: Cmd.exe is executed, Windows is started in Safe mode with Command Prompt, or when a batch file (.bat) or command (.cmd) is executed. | Works with NT and later. Replaces previous functionality of Dosstart.bat. Does not run when Command.com is executed. Can be disabled when running cmd .exe manually by typing in cmd.exe /d. Modification of this key does not require a reboot to be effective. |
| Registry | HKLM\Software\Microsoft\Internet Explorer\Search HKLM\Software\Microsoft\Internet Explorer\UrlSearchHooks | Determines how Internet Explorer searches for unknown entries | Works with Internet Explorer 5.x and later. Both keys contain legitimate values, but often commandeered by spyware and adware. Search subkey contains references to http://ie.search.msn.com by default. |
| Registry | HKLM\Software\Microsoft\Internet Explorer\Styles | Lists Internet Explorer style sheets | Can be created or manipulated by adware/malware to display malicious web sites or pop-ups. |
| Registry | HKLM\Software\Microsoft\InternetExplorer\Toolbar | Loads new menu bars for Internet Explorer or modifies existing toolbars | Works with all versions of Internet Explorer 5.x and later. Commonly exploited by adware. |
| Registry | HKCU\Software\Internet Explorer\Toolbar\ShellBrowser HKCU\Software\Internet Explorer\Toolbar\WebBrowser | Malicious adware\spyware could create new menu bars in Internet Explorer. | Commonly manipulated by adware and spyware. Menu bar will be a CLSID subkey listed under Toolbars. |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current logon session using the User32.dll API library (which is used by most programs). | Works with Windows NT and later. Not usually populated by legitimate programs, but can be. Common method used by malware and adware; for example, CoolWeb Search Adware (http://securityresponse.symantec.com/avcenter/venc/data/adware.cwsmsconfd.b.html). |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL | Loads Windows logon user interface; loaded interface passes interactive user's logon credentials to Winlogon.exe | Works with Windows NT and later. Microsoft's default data value is Msgina.dll. Has been a target of trojan attacks, attempting to capture end user logon credentials. PC Anywhere program will modify the value to be Awgina.dll. The Novell logon client will modify as well. |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | Used to run a particular program when a predefined event (e.g., Screensaver stops or starts, user logs on or off) occurs. | Works with NT and later. Many legitimate programs are stored here. Not a common malware location, but is used. For example, Haxor backdoor trojan rootkit (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.b.html). |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Specifies the programs that Winlogon runs when a user logs on | By default, Winlogon runs %Windir\System32\Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer .exe, the Windows user interface. Not a common malware startup location; has been exploited in the wild. For example, Petch trojan (http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.b.html). |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | Programs are loaded when Internet Explorer loads; programs loaded also known as Add-Ons. | Works with an OS that can run Internet Explorer 5.x and above. Commonly exploited key Several programs help list and/or modify BHOs, including IE XP SP2 and above. Note that disabling "third-party browser enhancements" in IE6's Tools, Options, Advanced will not suppress these intrusions into Outlook Express if the BHOs also defined themselves there as well. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTask Scheduler | Task scheduler programs that are launched when Windows starts | Works with W2K and later. Not a common malware location, but is used. For example, Bookmarker trojan (http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.c.html) |
| Registry | HKLM\Software\Microsoft\Windows\Current Version\Explorer\Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup\Common Startup | Determines location of Startup folders (i.e., Startup programs) and other common folders (ex. My Documents, My Favorites) for All Users profile | Works with Windows 9x and later. Used by malware to change Startup folder behavior. Malware can place itself in the newly be executed when the user logs on, but if the user checks the normal Startup folders, the malicious program will not be listed. Malware modifying these keys will often then execute programs and commands found in default Startup folders so the user is not suspicious. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks | Contains the list of the COM objects, listed by GUID, that trap execute commands | Must contain the %Windir%\System32\Shell32.dll API program. Other listed programs must be deemed suspicious. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Runs programs or commands after the user logs on, in a controlled order. Runs listed value each time any user logs on until a user with admin permissions to the registry key logs on, then it deletes the value after running. | Works with all versions of Windows 9x and later. Not run in Safe mode unless the value is prefixed by an * (asterisk). Only runs values under subkeys (does not run values placed directly under key) Non-admin users cannot normally modify. For more information, see http://support.microsoft.com/?kbid=232509&sd=RMVP. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Runs service after boot up prior to the user logging on. | Works only in the Win 9x family. There is also a HKCU version of the same key, but it doesn't appear to be used or able to launch anything. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Runs service once after boot up prior to the user logging on, and then deletes itself. | Works only in the Win 9x family. If the value is preceded by an exclamation point, deletion will not occur unless the command is successfully completed. There is also a HKCU version of the same key, but it doesn't appear to be used or able to launch anything. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | Lists programs that will run with associated file types | Works with Windows 9x and later. Usually contains dozens of legitimate programs. Most programs listed will be located in %Windir%\System32 or C:\Program Files. Difficult to tell what is and isn't malicious. |
| Registry | HKLM\System\CurrentControlSet\Control\MPRServices | Can be used to launch programs during predefined events | Used by the Win 9x family. Similar to the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify registry key used by NT and later systems. Used by Haxdoor.B backdoor trojan (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.b.html). |
| Registry | HKLM\System\CurrentControlSet\Control\SafeBoot | Used by Windows to determine what programs, services, and drivers are loaded in a Safe mode boot | Although not common, can be manipulated by malware to either prevent Safe mode from being run (i.e., values are deleted) or to add malware program to a Safe mode boot sequence. Used by Petch trojan (http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.b.html) to delete all Safe mode listings. |
| Registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | Allows another program (or debugger) to be executed instead when another program is started | Key lists all the programs that have been defined to have alternative programs start instead. Normal to have dozens of legitimate entries here. Used by a few malware programs, including the Zellome worm and StartPage.O trojan. Thanks to Andrew Aronoff of Silient-Runners.org for the hint. |
| Registry | HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute | Programs or commands will be executed upon next reboot | Works with NT and later. Replaces some of the functionality of Wininit.ini of earlier Windows versions. |
| Registry | HKLM\System\CurrentControlSet\Control\Session Manager\Environment\Path | Determines what directories to check for commands or programs typed in without a specific PATH statement (i.e., Frog.exe vs. C:\Program Files\Frog.exe) | Some malware programs rely on defects in the way Windows searches for and executes files when only the file name (ex. Frog.exe vs. C:\Program Files\Frog.exe) is given. The PATH statement can be set by the DOS PATH command (located under Environmental variables in NT family) or by the registry key. Should contain by default: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem; Can contain other legitimate non-default entries (ex. C:\Program Files\Network Associates;) Not commonly used by malware, but can still be a problem today. For example, some malware places itself in default application directories, which the application executes instead of the legitimate program executable. One trojan placed its malicious code in the user's My Documents folder. Because the malware was named after a legitimate MS-Word executable, MS-Word would always load it first instead of the legitimate version located under Program Files. |
| Registry | HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PathExt | Determines what file extensions are tried if the program name is typed in without an extension (e.g., Frog vs. Frog.exe) | Some malware programs (ex. Spawner or twin viruses) rely on defects in the way Windows executes files when only the file name (ex. Frog.exe vs. C:\Program Files\Frog.exe) is given. Not commonly used by malware today. Should be the following by default: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS; .JSE;.WSF;.WSH |
| Registry | HKLM\System\CurrentControlSet\Control\Session Manager\FileRename Operations | Contains pending file operations (e.g., rename, copy, etc.) to be executed on the next reboot of Windows | Works with NT and later. Replaced the older Wininit.ini file. |
| Registry | HKLM\System\CurrentControlSet\Control\Session Manager\StartPage | Configures Internet Explorer's Startup page | Commonly manipulated by adware and spyware |
| Registry | HKLM\System\CurrentControlSet\Enum\Root | Used to registry legacy Windows services | Not normally used by legitimate programs today. Not commonly used by malware. Used by Wallz worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.wallz.html). |
| Registry | HKLM\System\CurrentControlSet\Services | Will load program as service (i.e., prior to user being logged in) | Works with NT and later. Common malware vector. Difficult to determine what is and isn't malicious using this key alone. |
| Registry | HKCR\Protocols\Filters or HKLM\Software\Classes\Protocols\Filters | Malware program can load itself when a MIME file attachment (ex. Text/xml) is executed | For example, can be used so malicious program is loaded each time a text file is viewed in IE instead of Notepad. Frequently used by spyware and adware. Programs listed by CLSID below keys. Used by StartPage.I trojan. Both keys are just aliases for each other. Thanks to Andrew Aronoff of Silent Runners.org for this hint. |
| Registry | HKLM\System\CurrentControlSet\Control\Class\{}\UpperFilters | Malware program can modify I/O from input devices | Used by some keylogging trojans (ex.InvisibleKey Spyware) to capture data from the keyboard driver. By default, several of the same keys will exist. Do not delete or manipulate this value, because it often contains legitimate information, without backing up registry first. Thanks to Andrew Aronoff of Silent Runners.org for this hint. |
| Registry | HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries | Allows trojan or worm to install itself as a Layered Service Provider so that it can monitor network traffic | Used by many trojans, spyware, and adware programs. Many legitimate keys are located here. Can be difficult to find unauthorized programs. Commercial Guardian Monitor spyware program and Redfall trojan uses this method. Thanks to Andrew Aronoff of SilentRunners.org for this hint. |
| Registry | HKLM\Software\Microsoft\Office\Outlook\Addins | Malware can add itself as an Outlook Add-in and manipulate incoming or outgoing e-mail | May contain legitimate entries, such as anti-spam or antivirus software plug-ins. A common malicious example is Hotbar adware. |
| Registry | HKCU\Identities\<Identity>\Software\Microsoft\Outlook Express\<version>\Signatures | Malware can add a malicious script to Outlook Express e-mail signatures that retrieves malware automatically when opened by the recipient. | Documented in Outlook Express, but may be able to be exploited in Out look and other e-mail clients as well. Used by the Kak and JS.Fortnight worms. |
| Registry | HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\<#>\Flags\Source\SubscribedURL | Can be hijacked by adwareto redirect IE to unauthorized locations and malware | Source and Subscribed values are set to About:Home by default. Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState | The registry value controls many aspects of the desktop environment. | Including whether Active Desktop is enabled, and whether file extensions are visible. Not very commonly manipulated by malware presently. Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Active Desktop | Controls Active Desktop settings | Active Desktop, if enabled, opens up more potential attack vectors. Note that selecting particular types of display media (e.g., a .JPG as wallpaper) will enable Active Desktop in some versions of Windows, whereas disabling Active Desktop while a .JPG is set as wallpaper will cause an "Are you sure?" prompt that many users will back out of in order to use their "nice" wallpaper. Not present by default on most systems. Not very commonly manipulated by malware presently. Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Controls Windows Explorer settings | Not very commonly manipulated by malware presently. Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System | Allows control of desktop system and some administrative tools | Often used to disable Task Manager (DisableTaskMgr=0x1), Registry Editor (DisableRegistryTools = 0x1), and Control Panel (NoDispCPL= 0x1). Key not present by default on most systems. Commonly manipulated by malware. Examples include HackerWacker keystroke logger spyware, Ronoper worm, and Ting adware. Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\Search HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\Search | Adds any string value as a prefix for any URL typed in the browser, effectively redirecting all typed-in URLs to the unauthorized web site first | Commonly used by Adware. Examples include SmartSearch and WorldSearch adware, the JS.Fornight adware worm, and Popdis Trojan. Default values are supposed to be http://. Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath | Can be used to point to a new, unauthorized HOSTS file instead of the HOSTS file in the normal location (i.e., \%SystemRoot%\Drivers\Etc) | Used by trojans (ex. Qhosts) and adware (ex. TMKSoft.XPlugin). Value is also added to ControlSet001 and ControlSet002 by some trojans (ex. Qhosts). Hint provided by Andrew Aronoff of SilentRunners.org. |
| Registry | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NameServer | Can be used to point to a new, unauthorized DNS server | Used by a few malware programs, including Qhosts trojan. |
| Registry | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ | Sets overall TCP/IP communications values, including DHCP, DNS, and TCP/IP stack. These values are used unless a specific value is set under the \Interfaces subkeys on a particular interface. | Many subvalues on this key could be changed to cause problems — for example, to set a new default gateway, to change normal DNS resolution order, etc. Many legitimate settings are present by default. Many values can be modified to strengthen a Windows computer against denial-of-service attacks. |
| Registry | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interface CLSID> | Controls all TCP/IP communications, including DHCP, DNS, and TCP/IP stack. | Many subvalues on this key could be changed to cause problems — for example, to set a new default gateway, to change normal DNS resolution order, etc. Many legitimate settings are present by default. Used by Qhosts and Flush.D trojans. Look at CurrentControlSet001 and 002, as some trojans modify those values to (ex. Qhosts). |
| Registry | HKLM\System\CurrentControlSet\Services\VxD\MSTCP\NameServer | Can be used to force a client to use an unauthorized DNS server | Key not present by default. Used by Qhosts and Flush.D trojans. |
EAN: 2147483647
Pages: 122
- ERP Systems Impact on Organizations
- Challenging the Unpredictable: Changeable Order Management Systems
- Intrinsic and Contextual Data Quality: The Effect of Media and Personal Involvement
- Healthcare Information: From Administrative to Practice Databases
- Development of Interactive Web Sites to Enhance Police/Community Relations
- Chapter IV How Consumers Think About Interactive Aspects of Web Advertising
- Chapter XIV Product Catalog and Shopping Cart Effective Design
- Chapter XV Customer Trust in Online Commerce
- Chapter XVI Turning Web Surfers into Loyal Customers: Cognitive Lock-In Through Interface Design and Web Site Usability
- Chapter XVIII Web Systems Design, Litigation, and Online Consumer Behavior