Sophos

Download Windows 7 security - A great leap forward or business as usual?

« India’s embassy in Spain victim of a malicious attack FakeAV exploits GreyMatter vulnerability »

Debuggered

In the recent article, Delete files that don’t exist, Stephen described a malware using the registry to delete a certain file upon launching. The same registry key is used in another way now. By adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<command to hijack>

with value name of “Debugger” and Value containing the path to a handler, malware can disable applications or launch itself whenever the user attempts to launch the hijacked application. Below is a demonstration.

Modifying the registry with registry editor

Modifying the registry with registry editor

I have added a new registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

and added the value Debugger to point to Notepad.exe

Upon modification, each time i run cmd.exe, notepad.exe will open and load the binary cmd.exe.

Loading cmd.exe binary with Notepad.exe

Loading cmd.exe binary with Notepad.exe

Yet another way to exploit the poor registry.

Posted on January 29th, 2009 by Lennard Cher
Filed under: Malware

Email this story to a friend   Digg   Reddit   Technorati   Slashdot   Facebook   Twitter   NewsVine   MySpace   Google   Live   Mixx   del.icio.us   StumbleUpon  

Download Windows 7 security - A great leap forward or business as usual?

Related posts