back to article Windows Registry-infecting malware has no files, survives reboots

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files. The malware resides in the computer registry only and is therefore not easy to detect. It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded …

Silver badge

"a tool Microsoft uses to hide its source code from being copied"

So, the registry is finally unveiled to be the ultimate tool in the virus writer's arsenal.

Well done, Microsoft. You alone, of all the OS vendors, have thrust this abomination of an excuse on its end users in replacement of the trusty .ini file, and now we get to see it's ultimate defilement.

Maybe we can hope to get back to text file configuration now ? I mean, apart from DRM, copyright enforcement and embedding our OS configuration with endless amounts of hidden keys that can be used for God only knows what, there's nothing the registry does that an .ini file could not do, right ?

So, can we finally declare the registry to be a security liability and get rid of it ?

Nah, won't ever happen.

Good luck with those AV tools !

115
25
Def
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied"

It's a database. Are you seriously suggesting all databases can be replaced with text files?

30
79

Re: "a tool Microsoft uses to hide its source code from being copied"

For those that missed it in the article....

"To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."

9
0

Re: "a tool Microsoft uses to hide its source code from being copied"

"Are you seriously suggesting all databases can be replaced with text files?"

No one said that.

But I'm suggesting the registry could. It's a list of parameters. Show me anything that needs relational integrity or any other database type feature.

It's always been a buttpain. It doesn't get cleaned up properly unless you use 3rd party tools so it bloats.

And the fact that running code from it is even allowed is a serious enough flaw that it should be deprecated, locked from further use and left to die.

102
10
Anonymous Coward

Re: "a tool Microsoft uses to hide its source code from being copied"

"It's a database. Are you seriously suggesting all databases can be replaced with text files?"

Quite - databases are a far more scalable and sensible way of storing configuration informatino than flat text files.

"But I'm suggesting the registry could."

That would be a massive step backwards.

"And the fact that running code from it is even allowed is a serious enough flaw that it should be deprecated, locked from further use and left to die."

It doesnt run code from the registry. The registry entries are passed to Javascript as a process start up command.

10
43
Anonymous Coward

Re: "a tool Microsoft uses to hide its source code from being copied"

""To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox.""

Or scan the Registry - which many AV tools can do anyway.

7
9
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied"

"It doesn't get cleaned up properly unless you use 3rd party tools so it bloats." - my experience is to just let it bloat. Registry tidying tools seem to break a lot more than they fix.

31
2

Re: "a tool Microsoft uses to hide its source code from being copied"

"But I'm suggesting the registry could."

Devil's advocate...

The registry has many shortcomings, but the basic idea is sound. Some things that would be difficult or impossible to do with plain files;

* Permissions (read/write/modify) on a per-value basis.

* Ability to push changes to users or machines on a per-value basis without worrying about changing other values by overwriting an entire file, or having to deal with merging changes to an existing file.

* User/machine setting separation, with the user settings able to move with the user between machines as a single, trivially synchronised file.

These are things you miss a great deal when trying to deal with roaming users on non-windows platforms.

18
9
Anonymous Coward

Re: @mikejs

"The registry has many shortcomings, but the basic idea is sound."

Exactly! The problem is not the idea of a manageable & secureable configuration tool with a proper editor for all applications, it is the cluster-fsck of a system it ended up when it was allowed to become a general dumping ground for all sorts of crap and most of it with UUID type labels.

36
4
Roo
Facepalm

Re: "a tool Microsoft uses to hide its source code from being copied"

"Quite - databases are a far more scalable and sensible way of storing configuration informatino than flat text files."

How is the registry (which looks a lot like a directory tree) more "scalable" than a filesystem ? File systems have been capable of storing petabytes and running at Gigabytes/sec for over 15 years now, surely that should be enough for a bit of config...

FWIW one justification for the registry was that it could provide transactional consistency for the configuration data - which is nice in principle, but in practice I have not noticed a measurable improvement over the file model, YMMV.

"It doesnt run code from the registry. The registry entries are passed to Javascript as a process start up command."

Those two sentences are mutually exclusive.

30
6

Re: "a tool Microsoft uses to hide its source code from being copied"

Not "alone", really. For example, the Gnome infrastructure in Linux is based on a binary "registry" which needs specific tools to access it.

I think human-readable configuration files (even XML) are always a better and more resilient approach.

20
3
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied"

I'll grant you merge issues - but the user/machine separation is handled just find in *nix world.

/etc contains the machine defaults

Your home dir contains your preferences, which may override the machine defaults

Parameters set at run time override both...

33
2

Re: "a tool Microsoft uses to hide its source code from being copied"

There are some good concepts with the registry but I can't help but find it a bloated mess that's grown fairly organically since Windows 95. It's far from logical, especially when things are buried under layers of obscure UUIDs.

"Ability to push changes to users or machines on a per-value basis without worrying about changing other values by overwriting an entire file, or having to deal with merging changes to an existing file."

Like configuration directories, often found in Debian and its derivatives? These are such a breeze to work with. Text files are particularly brilliant if things go wrong as they don't have to be mounted in order to check them - there's a lot to be said for simplicity sometimes.

"User/machine setting separation, with the user settings able to move with the user between machines as a single, trivially synchronised file."

While not a single file, 'ix home directories do this reasonably well. In most cases I've found it creates much less headache than in Windows (e.g. restoring personal data and configuration on a reinstalled machine), but both are far from perfect. Sure sounds good in theory though!

24
1
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied" @Def

Microsoft certainly are saying that.

In DOT.NET they brought back an improved version of the INI file in the form of the .CONFIG file. It's an XML file, normally with the same name as the EXE it relates to. You can use them to store public and private configuration data just like the registry, but with less chance of a clash.

4
1
Anonymous Coward

Re: "a tool Microsoft uses to hide its source code from being copied"

"How is the registry (which looks a lot like a directory tree) more "scalable" than a filesystem ? File systems have been capable of storing petabytes and running at Gigabytes/sec for over 15 years now, surely that should be enough for a bit of config...

The would be because the Registry (basically a Btrieve database) can locate and update data many times faster than you can via parsing a flat file - regardless of what file system the text file is stored on.

The scalability advantage is even greater in dsitributed environments - where a single record can be located and updated / changed / added far faster and with less parsing and across mutliple systems than with scanning the contents of flat text files.

There are a number of other scalability and feature advantages such as inbuilt ACLs / Auditing on an per item / key basis, transactional integrity including commit and rollback, etc. etc.

5
13
Anonymous Coward

Re: "a tool Microsoft uses to hide its source code from being copied"

I think human-readable configuration files (even XML) are always a better and more resilient approach.

Certainly flat text files are LESS resilent than a database with transaction logging and commit / rollback like the Registry. Better in that they can be sometimes human readable maybe. Inferior in pretty much any other respect.

1
13
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied"

"How is the registry (which looks a lot like a directory tree) more "scalable" than a filesystem ?"

LFAU? I wouldn't appreciate losing gigabytes of storage to handle a few tens of megabytes, maybe a hundred megabytes, of configuration data.

0
6

Re: "a tool Microsoft uses to hide its source code from being copied"

"Registry tidying tools seem to break a lot more than they fix."

My favorite are the massive speed increases that are claimed.

5
0
Mushroom

Re: "a tool Microsoft uses to hide its source code from being copied"

databases are a far more scalable and sensible way of storing configuration informatino than flat text files

"scalable"? Are we now writing applications that have over 1 million configuration parameters?

If you think the registry is great, then you're a troll.

19
9
Roo
Windows

Re: "a tool Microsoft uses to hide its source code from being copied"

"The would be because the Registry (basically a Btrieve database) can locate and update data many times faster than you can via parsing a flat file - regardless of what file system the text file is stored on."

There is nothing stopping people from storing raw binary into a flat file if they wish to.

Some software uses both human readable and binary formats, using tools to convert from the human readable to machine readable format, so the human readable config only has to be parsed once. The parsing can also be done offline so there is no runtime penalty as well...

The *only* time I've found config parsing to be a serious bottleneck/problem is when XML is involved, and again people are free to choose something other than XML (and in my opinion they *should* choose anything but XML :P).

9
1
Roo
Windows

Re: "a tool Microsoft uses to hide its source code from being copied"

"LFAU? I wouldn't appreciate losing gigabytes of storage to handle a few tens of megabytes, maybe a hundred megabytes, of configuration data."

It appears that you are asserting that the registry is a good option because file systems are shit at handling small files... There are file systems that pack (multiple) small files into larger allocation units (eg: FFS), so it's technically possible to be space efficient with lots of small files...

Small files have always existed, and they will continue to exist, it's up to you whether you wish to suffer the cost imposed by a vendor's inadequate file system design.

11
1

For those that missed it in the article....

While it is true that an AV solution should catch the infected file before it executes it's payload, the questions that need to be asked are;

"Why does Microsoft still insist on the failed concept of security through obscurity?"

"Why the fuck is it possible for a word processing document to reach that deeply into the registry and affect those changes?"

21
0

Re: "a tool Microsoft uses to hide its source code from being copied"

It doesnt run code from the registry. The registry entries are passed to Javascript as a process start up command.

And that's functionally different from "running code from the registry" precisely how ??

9
0

Re: It doesn't get cleaned up properly...

You almost had that one. In fact, if I could remove the last to periods of the ellipses it would be correct.

Even third party tools don't really clean it up. Like MS, they have no better knowledge of all the crapware out there. They might do a better job than MS does at making informed guesses, but with all the crap that gets laid down in a modern MS installation and the wide dispersal of that crap, you just can't know it all and clean it up. Yes, using one is 9 times more likely to help than hurt, but it still isn't perfect.

2
0

Re: Devil's advocate...

Word had user preference files before Windows was even thought of. They worked amazingly well.

If you truly have roaming users, not only their data but their apps should be sitting on the server. Since the app is sitting on the server, there should be no need to synchronize to the machine.

At the most basic level, permissions are a text file. Obfuscating that fact only increases the typical false sense of security. And in this case it looks like the cure is worse than the disease.

6
1

Re: faster than you can via parsing a flat file -

The only reason you need the speed of a Btrieve database to update the Registry is because it is a monolithic flat file in the first place. Put the program configuration in text files in the individual program directories where they belong and it's not a problem any more. Yes, Windows would keep a ini file of the installed programs so you'd know where to look for them at install. But the only time the configuration files should be accessed is during install anyway.

9
2

Re: "a tool Microsoft uses to hide its source code from being copied"

> ... finally unveiled to be the ultimate tool in the virus writer's arsenal.

> ... thrust this abomination of an excuse on its end users in replacement of the trusty .ini file

Finally ...

Been saying this for years (since W95 came out) only to be laughed at and ridiculed by my peers.

My sincere thanks to you.

7
0
Big Brother

Re: "a tool Microsoft uses to hide its source code from being copied" @Def

@Steve Todd: "Microsoft certainly are saying that"

How exactly does this work to prevent source code from being copied?

0
0
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied"

The relevant question is whether THIS database can be replaced by text files, and the answer is "yes it can."

5
1

Re: "a tool Microsoft uses to hide its source code from being copied"

yes at their base ALL ini databases are text.

0
0

Re: "a tool Microsoft uses to hide its source code from being copied"

And Gnome software has been going to s**t latley.

0
2
Gold badge
Facepalm

Re: "a tool Microsoft uses to hide its source code from being copied"

Yeah, dunno what the blazes the reference to source code was for and it seems pretty obvious to me that an AV tool could scan the registry as easily as the file system, but why let obvious facts stand in the way of a good piece of scaremongering.

AV tools have been lagging actual malware for ages now. The AV business is a giant scam. Windows is pretty secure if you aren't a dick and use the same account protections that UNIX users have practised for decades.

Oh, and I gather there's a film at 11.

2
1
Gold badge

Re: "a tool Microsoft uses to hide its source code from being copied"

"Certainly flat text files are LESS resilent than a database with transaction logging and commit / rollback like the Registry. Better in that they can be sometimes human readable maybe. Inferior in pretty much any other respect."

/etc on UNIX systems is often kept under some kind of revision control system.

A similar system could be written for the registry, but I'm not aware of one.

Registry hives can be mounted on other systems if you want to read or recover them offline.

The registry's pre-parsed content is more efficient than plain text, but harder to include comments.

But GUIDs everywhere are just plain evil.

6
0
Gold badge

Re: For those that missed it in the article....

"Why the fuck is it possible for a word processing document to reach that deeply into the registry and affect those changes?"

Because the luser in question has loaded that document from their admin account, like everything else that they do. Sane Windows users will probably find that they are immune because the malware authors didn't bother to include a privilege escalation attack in the WORD payload.

3
1
Silver badge
Gimp

Re: "It's a database" ¿Que?

The Windose registry is a database? LMFAO. Such great data integrity and resilience. Oh well some people think Access is a db too.

Feeling even more validated as a Fanbooi after this little malware gem.

2
1

Re: "a tool Microsoft uses to hide its source code from being copied"

Not a very good database...

And according to all the XML enthusiasts, yes it could be replaced with text files.

and based on the fact that it is a key->value database, YES it could be replaced. If nothing else,a directory using a file name for a key and the contents of the file for the value.

Oh right - just like UNIX systems have used for 40 years.

9
0

This post has been deleted by its author

Re: "a tool Microsoft uses to hide its source code from being copied"

"* Permissions (read/write/modify) on a per-value basis." trivial. UNIX has done that for 40 years.

"* Ability to push changes to users..." also trivial. changing a single value can't alter any other files. And if you put multiple values in a single file then you are idiots. Use LDAP for one. cfengine for another, there are a number of alternatives.

"* User/machine setting separation, with the user settings able to move with the user between machines as a single, trivially synchronised file." Relatively trivial. It has been done on UNIX systems for at least 20 years. NIS originally, LDAP currently. Or if you want cfengine or other tools that are available.

3
2

Re: "a tool Microsoft uses to hide its source code from being copied"

Obviously you have never worked with text files.

They are faster than you think. Especially when you realize they only need to be read once by the application. So any minor delay is not worth the problems the registry causes.

4
0
Silver badge
Meh

Re: "a tool Microsoft uses to hide its source code from being copied"

@ mikejs

Move user configs ? YP/NIS properly set up could have a fully portable user environment It had some non text config though. Nothing like the thousands of lines of registry that make Windows such a hell to run regedit on. Unfortunately for we config file lovers, commercial unices have fallen in love with the XML database monster. Only a matter of time before linux becomes as bloated and obscure in its config.

1
0
Silver badge

Re: "a tool Microsoft uses to hide its source code from being copied"

"It appears that you are asserting that the registry is a good option because file systems are shit at handling small files..."

Nope, that's your assertion. I'm just trying to imagine what would happen to the file system of a regular Windows PC if it had to deal with its configuration as a billion tiny files instead of the big hulking mess that the registry is. Neither option seems satisfactory, but since Windows is extremely limited in what it understands as a file system, the registry is probably the better option there, for now at least. This doesn't mean it is a good option, and great file systems on other platforms are not particularly relevant if they're on other platforms and not where they're needed...

0
4
Holmes

Re: "a tool Microsoft uses to hide its source code from being copied"

" I'm just trying to imagine what would happen to the file system of a regular Windows PC if it had to deal with its configuration as a billion tiny files instead of the big hulking mess that the registry is."

Hmm. I rather think it'd read the configuration for the program when (if) it loads it up, like any sane person would do. The individual files are a million times smaller than the registry, so it's a doddle.

The Windows Registry is rather like memorizing the entire contents of your library instead of just looking at the table of contents for the book you want when you pick it up.

6
0
Bronze badge

Re: "a tool Microsoft uses to hide its source code from being copied" @Def

>In DOT.NET they brought back an improved version of the INI file

Perhaps they might have brought it back, if it had ever gone away. MS continued to use INI files for applications where it made sense: the important thing that changed was that the Windows API that accessed INI files was captured and pointed at the registry.

0
0
Bronze badge

Re: "a tool Microsoft uses to hide its source code from being copied"

I'm not sure I'm following you:

>UNIX has done that for 40 years.

Unix has had record locking for 40 years? The database primitives were only on the internal versions of Unix, not on the publicly released versions. Which is why open source used text files instead of databases.

>Use LDAP for one

Your LDAP store has a seperate file for every attribute?

>with the user settings able to move with the user between machines ... relatively trivial

NIS is an effective solution for trivial problems. And 20 years ago, it wasn't even that.

0
2
Silver badge
Pint

Re: "a tool Microsoft uses to hide its source code from being copied"

Data is data. There's nothing magical about "data bases". Back in the day, we wrote our own more-advanced data structures using simpler elements provided by whatever language you might be using. It should be trivial to write a utility to convert a database into a text file and back again. This is Data Structures 101, very basic.

1
0
Roo
Devil

Re: "a tool Microsoft uses to hide its source code from being copied"

"This doesn't mean it is a good option, and great file systems on other platforms are not particularly relevant if they're on other platforms and not where they're needed..."

Interestingly Wikipedia reckons that NTFS currently supports tail-packing like FFS. If MS have done the job properly you won't have to worry about small files munching all your "LFAU"s while you sleep. That's one less excuse for the Registry's existence.

0
0
Silver badge
Pint

"Registry tidying tools seem to break a lot more than they fix."

I've not yet had any problems with CCleaner; perhaps I'm holding it wrong.

It would seem to me that if there's something lurking in the Registry, a utility such as CCleaner would easily find it and fix it. Trivial.

1
3
Anonymous Coward

Re: "a tool Microsoft uses to hide its source code from being copied"

Of course yes, the *nix alternative of an endless amount of different config files, in locations of variable consistency, using formatting and structures sometimes similar, sometimes very different to each other, is most definitely the BETTER way to run something as sophisticated as a modern operating system and application stack.

2
3
FAIL

Re: "a tool Microsoft uses to hide its source code from being copied"

Or scan the Registry - which many AV tools can do anyway.

Errrr.... No. There is deliberate obsfuscation in the Registry in an effort to conceal some of the inner workings of this sorry excuse for an Operating System. There are no AV Tools that can decrypt the Registry to a sufficient extent to be able to find (and eliminate) the malicious code. Furthermore - who'd want some AV software altering the contents of the most vulnerable parts of the "Operating System"?

Incidentally, this isn't really new - there was credit-card detail stealing software that was hiding itself in the Windows 98 Registry. It was just kept quiet because it showed just how useless the AV Software actually is.....

1
2
FAIL

Re: "Registry tidying tools seem to break a lot more than they fix."

"It would seem to me that if there's something lurking in the Registry, a utility such as CCleaner would easily find it and fix it. Trivial."

Sadly, no. Besides - do you really want the innermost workings of your "Operating System" exposed to third-party software?

0
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018