Tuesday, August 30, 2005

When does size really matter?

Well, when you're talking about Registry values, that's for sure!

On 24 Aug, Secunia released an advisory about how overly-long Registry value names were not being displayed in the Registry Editor. The advisory basically says that Registry values names that are "overly-long" will not be displayed in the Registry Editor, and that this "problem reportedly also exists for overly long registry keys."

So...what's the issue? Well, a great deal of malware maintains persistence on a system by creating a reference to itself in an autostart location, meaning that by making a reference to itself in one of these locations, it will automatically be started when the system starts, when a user logs in, or when the user takes some action. No direct interaction is required from the user to launch the application. Most folks doing incident response and forensics on Windows systems know to check these locations for indications, but now, it seems that some tools are not capable of displaying the value names if the name is longer than 254 bytes/characters.

The Internet Storm Center has a couple of diary entries about this, and are working to not only create a list of tools that do and do not display/react to these long names, but also to get vendors to update their products appropriately. Tom Liston, one of the ISC watchstanders, created a tool that will search your Registry for long value names.

I've written a Perl script that will parse offline Registry files...I'll need to add a check for value names that are longer than 254 bytes.

2 comments:

John H. Sawyer said...

I was wondering when you would be posting about this. ;-) Will you be making your script available soon? Also, does it run under linux because I have a modified Helix disk that I like to boot with in order to leave the hard drive untouched. I could do it under a BartPE disk maybe but those like to modify the hard drive times.

Keydet89 said...

John,

I'll be making the script available very soon.

As far as running under Linux...the folks who use Linux around my office have been busy and out. I'm trying to have someone test it on a Mac, as well.

Harlan