When hackers or malware accomplish the initial exploit into a computer, the next thing the hacker or malware does is to modify the system so that the maliciousness is hidden and so that they can always re-access the system at will.
To do this, the hacker or malware will modify Windows in one of five places:
Files
Folders
Registry keys
Applications
Other areas and tricks
I have documented over 145 different locations and tricks that malware and hackers will use to hide and re-gain system access. It is the most complete table of its kind. It contains nearly 100 registry keys that can be used maliciously, over 32 files, and over 14 folders. You can download the complete table at http://www.wiley.com/go/windowsvistasecurity. It is frequently updated. Table 2-1 shows some highlighted values pulled from the larger available table.
NAME APPLICATION AREAS | FUNCTION |
---|---|
Archive files | Malware can be hidden or launched from within archive file formats. |
Auto-run application files | Malware can launch from any auto-running file associated with a particular application. |
Embedded or linked files | Many applications and their file formats allow other document types to be embedded/executed. |
FILE AREAS | |
Alternate Data Streams | Malware can hide itself in the Alternate Data Streams (ADS) of a Windows file. |
AUTORUN.INF | Autorun file, runs commands or programs referenced by open= or shellexecute= after inserting (or choosing to Autoplay) media storage (CD-ROM discs). |
Desktop.ini | Used to customize folder behavior. It is meant to allow users to customize folder appearance and behaviors, but can be used to hide files and auto-launch programs when referred-to folders are viewed. |
HOSTS | Used to place static DNS resolution entries. |
Non-printable characters in file name | Several computer defense programs (for example, antivirus) are unable to scan files using un-printable or extended ASCII characters in the name. |
Long path name trick or program.exe trick | If long path names with space in the name are not included in quotes, many programs, will attempt a systematic execution search that could lead to the wrong file (possibly malicious) being executed. |
Internet shortcut trick to run local code. | Can be used to override HOSTS and DNS resolution |
OLE2 document trick | OLE2-formatted documents will be opened in their correct associated application if no extension is chosen. |
Protected file names (Lsass.exe, System, and so on) | Several program names, when running, cannot be killed in Task Manager, complicating removal. |
FOLDERS | |
%Windir%\Start Menu\Programs\Startup | Default Startup folders; any program or command listed in one of these folders will be automatically executed when the user logs on. |
Recycler | Recycle Bin's temporary storage location for deleted files and folders. |
System, System32, %Windir% | Malware often writes itself to Windows system directories. |
System Volume Information | Can be used by hackers or malware to hide malicious programs. |
Tasks | Lists Task Scheduler Tasks. |
Temporary Internet Files | Malicious files are often stored/hidden in Internet Explorer's Temporary Internet Files (TIF) folder. |
OTHER | |
ActiveX control | Installed ActiveX control. |
Defensively positioned dialog boxes | Malware often uses various programming "tricks" to cover up legitimate warning boxes or to trick the user into accepting a command that allows malware to enter the system when it otherwise shouldn't. |
Executable pathway | PATH statement determines what paths OS should try if file is not found in default directory it was called from (i.e. Frog.exe vs. C:\Program Files\Frog.exe). |
Hidden files | Hidden (or system) files/folders will not appear to casual searches. |
Layered Service Provider (LSP) | Malware can insert itself as an LSP program, which can intercept any network traffic heading into and out of a PC. |
Task Scheduler | Will run listed programs and commands. |
Unusual folder/file names | Hackers and malware often use unusual names to hide malicious files and folders. |
URL Monikers | URL Monikers can be added to Internet Explorer to load associated programs when a particular keyword is typed. |
REGISTRY KEYS | |
HKLM\Software\Classes\<fileext>NeverShowExt | Real file extensions can be hidden. |
HKCU\Software\Microsoft\Internet Explorer\SearchURL | Redirects any URLs typed in Internet Explorer to defined URL. |
REGISTRY KEYS | |
HKLM\Software\Internet Explorer\Extensions | Adware/spyware can add buttons to IE that connect directly to malicious programs and scripts. |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load | Runs commands or programs after user logs on. |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run | Runs commands or programs after user logs on. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell | Runs commands or programs after user logs on. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System | Runs programs after user logs on. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman | Runs programs in Task Manager after user logs on. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Runs programs after user logs on, when Windows default shell (explorer.exe) runs for the first time during every logon. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Runs programs or commands after user logs on. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Runs programs or commands after user logs on for the first time only after the key is created. |
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | Runs commands or programs after user logs on, although typically points to the CLSID of the associated .DLL file. Links programs to explorer.exe process. |
HKLM\Software\Classes\<filettype>\shell\open\command | Can be modified to run additional commands or programs when a particular file type is executed. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL | Loads Windows logon user interface, loaded interface passes interactive user's logon credentials to Winlogon.exe. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Specifies the programs that Winlogon runs when a user logs on. |
REGISTRY KEYS | |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | Programs are loaded when Internet Explorer loads; programs loaded are also known as Add-Ins. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | Task scheduler programs that are launched when Windows starts. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | Determines location of Startup folders (i.e., Startup programs) and other common folders (for example, My Documents, My Favorites) for All Users profile. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | Contains the list of the COM objects, listed by GUID, that trap execute commands. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Runs programs or commands after user logs on, in a controlled order. Runs listed value each time any user logs on until a user with admin permissions to registry key logs on; then it deletes the value after running. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Runs service after bootup prior to user logging on. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Runs service once after bootup prior to user logging on, and then deletes itself. |
HKLM\System\CurrentControlSet\Control\SafeBoot | Used by Windows to determine what programs, services, and drivers are loaded in a Safe mode boot. |
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PathExt | Determines what file extensions are tried if program name is typed in without an extension (i.e., Frog vs. Frog.exe). |
HKLM\System\CurrentControlSet\Services | Will load program as service (i.e., prior to user being logged in). |
HKLM\Software\Microsoft\Office\Outlook\Addins | Malware can add itself as an Outlook Add-in and manipulate incoming or outgoing e-mail. |
REGISTRY KEYS | |
HKCU\Identities\<Identity>\Software\Microsoft\Outlook Express\<version>\Signatures | Malware can add a malicious script to Outlook Express e-mail signatures that retrieves malware automatically when opened by recipient. |
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix | Adds any string value as a prefix for any URL typed in the browser, effectively redirecting all typed in URLs to an unauthorized Web site first. |
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath | Can be used to point to a new, unauthorized HOSTS file instead of the HOSTS file in the normal location (i.e., \%SystemRoot%\Drivers\Etc). |
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ | Sets overall TCP/IP communications values including DHCP, DNS, and TCP/IP stack. These values are used unless a specific value is set under the \Interfaces subkeys on a particular interface. |
Microsoft has worked hard to make most of these areas less vulnerable in Windows Vista. You can run many different utilities to determine if programs are launching from the areas listed in Table 2-1 or from the larger list of items listed in its parent table. Sysinternals' Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html) is probably the best all around utility for listing and removing programs from these areas. Sysinternals was purchased by Microsoft in July 2006. Andrew Aronoff's Silentrunner.vbs script (http://www.silentrunners.org) can locate even more launching programs than Autoruns, but isn't as user friendly for removing them.