back to article Windows Registry-infecting malware has no files, survives reboots

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files. The malware resides in the computer registry only and is therefore not easy to detect. It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded …

  1. Pascal Monett Silver badge

    "a tool Microsoft uses to hide its source code from being copied"

    So, the registry is finally unveiled to be the ultimate tool in the virus writer's arsenal.

    Well done, Microsoft. You alone, of all the OS vendors, have thrust this abomination of an excuse on its end users in replacement of the trusty .ini file, and now we get to see it's ultimate defilement.

    Maybe we can hope to get back to text file configuration now ? I mean, apart from DRM, copyright enforcement and embedding our OS configuration with endless amounts of hidden keys that can be used for God only knows what, there's nothing the registry does that an .ini file could not do, right ?

    So, can we finally declare the registry to be a security liability and get rid of it ?

    Nah, won't ever happen.

    Good luck with those AV tools !

    1. Def Silver badge

      Re: "a tool Microsoft uses to hide its source code from being copied"

      It's a database. Are you seriously suggesting all databases can be replaced with text files?

      1. david 63

        Re: "a tool Microsoft uses to hide its source code from being copied"

        "Are you seriously suggesting all databases can be replaced with text files?"

        No one said that.

        But I'm suggesting the registry could. It's a list of parameters. Show me anything that needs relational integrity or any other database type feature.

        It's always been a buttpain. It doesn't get cleaned up properly unless you use 3rd party tools so it bloats.

        And the fact that running code from it is even allowed is a serious enough flaw that it should be deprecated, locked from further use and left to die.

        1. heyrick Silver badge

          Re: "a tool Microsoft uses to hide its source code from being copied"

          "It doesn't get cleaned up properly unless you use 3rd party tools so it bloats." - my experience is to just let it bloat. Registry tidying tools seem to break a lot more than they fix.

          1. John Tserkezis

            Re: "a tool Microsoft uses to hide its source code from being copied"

            "Registry tidying tools seem to break a lot more than they fix."

            My favorite are the massive speed increases that are claimed.

          2. JeffyPoooh Silver badge
            Pint

            "Registry tidying tools seem to break a lot more than they fix."

            I've not yet had any problems with CCleaner; perhaps I'm holding it wrong.

            It would seem to me that if there's something lurking in the Registry, a utility such as CCleaner would easily find it and fix it. Trivial.

            1. AlbertH
              FAIL

              Re: "Registry tidying tools seem to break a lot more than they fix."

              "It would seem to me that if there's something lurking in the Registry, a utility such as CCleaner would easily find it and fix it. Trivial."

              Sadly, no. Besides - do you really want the innermost workings of your "Operating System" exposed to third-party software?

        2. mikejs

          Re: "a tool Microsoft uses to hide its source code from being copied"

          "But I'm suggesting the registry could."

          Devil's advocate...

          The registry has many shortcomings, but the basic idea is sound. Some things that would be difficult or impossible to do with plain files;

          * Permissions (read/write/modify) on a per-value basis.

          * Ability to push changes to users or machines on a per-value basis without worrying about changing other values by overwriting an entire file, or having to deal with merging changes to an existing file.

          * User/machine setting separation, with the user settings able to move with the user between machines as a single, trivially synchronised file.

          These are things you miss a great deal when trying to deal with roaming users on non-windows platforms.

          1. Anonymous Coward
            Anonymous Coward

            Re: @mikejs

            "The registry has many shortcomings, but the basic idea is sound."

            Exactly! The problem is not the idea of a manageable & secureable configuration tool with a proper editor for all applications, it is the cluster-fsck of a system it ended up when it was allowed to become a general dumping ground for all sorts of crap and most of it with UUID type labels.

          2. John Robson Silver badge

            Re: "a tool Microsoft uses to hide its source code from being copied"

            I'll grant you merge issues - but the user/machine separation is handled just find in *nix world.

            /etc contains the machine defaults

            Your home dir contains your preferences, which may override the machine defaults

            Parameters set at run time override both...

          3. Maventi

            Re: "a tool Microsoft uses to hide its source code from being copied"

            There are some good concepts with the registry but I can't help but find it a bloated mess that's grown fairly organically since Windows 95. It's far from logical, especially when things are buried under layers of obscure UUIDs.

            "Ability to push changes to users or machines on a per-value basis without worrying about changing other values by overwriting an entire file, or having to deal with merging changes to an existing file."

            Like configuration directories, often found in Debian and its derivatives? These are such a breeze to work with. Text files are particularly brilliant if things go wrong as they don't have to be mounted in order to check them - there's a lot to be said for simplicity sometimes.

            "User/machine setting separation, with the user settings able to move with the user between machines as a single, trivially synchronised file."

            While not a single file, 'ix home directories do this reasonably well. In most cases I've found it creates much less headache than in Windows (e.g. restoring personal data and configuration on a reinstalled machine), but both are far from perfect. Sure sounds good in theory though!

          4. Tom 13

            Re: Devil's advocate...

            Word had user preference files before Windows was even thought of. They worked amazingly well.

            If you truly have roaming users, not only their data but their apps should be sitting on the server. Since the app is sitting on the server, there should be no need to synchronize to the machine.

            At the most basic level, permissions are a text file. Obfuscating that fact only increases the typical false sense of security. And in this case it looks like the cure is worse than the disease.

          5. oldcoder

            Re: "a tool Microsoft uses to hide its source code from being copied"

            "* Permissions (read/write/modify) on a per-value basis." trivial. UNIX has done that for 40 years.

            "* Ability to push changes to users..." also trivial. changing a single value can't alter any other files. And if you put multiple values in a single file then you are idiots. Use LDAP for one. cfengine for another, there are a number of alternatives.

            "* User/machine setting separation, with the user settings able to move with the user between machines as a single, trivially synchronised file." Relatively trivial. It has been done on UNIX systems for at least 20 years. NIS originally, LDAP currently. Or if you want cfengine or other tools that are available.

            1. david 12 Bronze badge

              Re: "a tool Microsoft uses to hide its source code from being copied"

              I'm not sure I'm following you:

              >UNIX has done that for 40 years.

              Unix has had record locking for 40 years? The database primitives were only on the internal versions of Unix, not on the publicly released versions. Which is why open source used text files instead of databases.

              >Use LDAP for one

              Your LDAP store has a seperate file for every attribute?

              >with the user settings able to move with the user between machines ... relatively trivial

              NIS is an effective solution for trivial problems. And 20 years ago, it wasn't even that.

          6. Denarius Silver badge
            Meh

            Re: "a tool Microsoft uses to hide its source code from being copied"

            @ mikejs

            Move user configs ? YP/NIS properly set up could have a fully portable user environment It had some non text config though. Nothing like the thousands of lines of registry that make Windows such a hell to run regedit on. Unfortunately for we config file lovers, commercial unices have fallen in love with the XML database monster. Only a matter of time before linux becomes as bloated and obscure in its config.

        3. Tom 13

          Re: It doesn't get cleaned up properly...

          You almost had that one. In fact, if I could remove the last to periods of the ellipses it would be correct.

          Even third party tools don't really clean it up. Like MS, they have no better knowledge of all the crapware out there. They might do a better job than MS does at making informed guesses, but with all the crap that gets laid down in a modern MS installation and the wide dispersal of that crap, you just can't know it all and clean it up. Yes, using one is 9 times more likely to help than hurt, but it still isn't perfect.

        4. Anonymous Coward
          Anonymous Coward

          Re: "a tool Microsoft uses to hide its source code from being copied"

          Of course yes, the *nix alternative of an endless amount of different config files, in locations of variable consistency, using formatting and structures sometimes similar, sometimes very different to each other, is most definitely the BETTER way to run something as sophisticated as a modern operating system and application stack.

          1. Maventi

            Re: "a tool Microsoft uses to hide its source code from being copied"

            "...alternative of an endless amount of different config... ..in locations of variable consistency, using formatting and structures sometimes similar, sometimes very different to each other..."

            One could be forgiven for thinking you were describing the Windows registry! I agree that in the various 'nixes that various settings can be inconsistent between applications and such, but I certainly wouldn't be holding up the registry as a shining example of how to do it better. Heck, if it were that good, .Net applications wouldn't be so obsessed with XML files for a start.

      2. Anonymous Coward
        Anonymous Coward

        Re: "a tool Microsoft uses to hide its source code from being copied"

        "It's a database. Are you seriously suggesting all databases can be replaced with text files?"

        Quite - databases are a far more scalable and sensible way of storing configuration informatino than flat text files.

        "But I'm suggesting the registry could."

        That would be a massive step backwards.

        "And the fact that running code from it is even allowed is a serious enough flaw that it should be deprecated, locked from further use and left to die."

        It doesnt run code from the registry. The registry entries are passed to Javascript as a process start up command.

        1. Roo
          Facepalm

          Re: "a tool Microsoft uses to hide its source code from being copied"

          "Quite - databases are a far more scalable and sensible way of storing configuration informatino than flat text files."

          How is the registry (which looks a lot like a directory tree) more "scalable" than a filesystem ? File systems have been capable of storing petabytes and running at Gigabytes/sec for over 15 years now, surely that should be enough for a bit of config...

          FWIW one justification for the registry was that it could provide transactional consistency for the configuration data - which is nice in principle, but in practice I have not noticed a measurable improvement over the file model, YMMV.

          "It doesnt run code from the registry. The registry entries are passed to Javascript as a process start up command."

          Those two sentences are mutually exclusive.

          1. Anonymous Coward
            Anonymous Coward

            Re: "a tool Microsoft uses to hide its source code from being copied"

            "How is the registry (which looks a lot like a directory tree) more "scalable" than a filesystem ? File systems have been capable of storing petabytes and running at Gigabytes/sec for over 15 years now, surely that should be enough for a bit of config...

            The would be because the Registry (basically a Btrieve database) can locate and update data many times faster than you can via parsing a flat file - regardless of what file system the text file is stored on.

            The scalability advantage is even greater in dsitributed environments - where a single record can be located and updated / changed / added far faster and with less parsing and across mutliple systems than with scanning the contents of flat text files.

            There are a number of other scalability and feature advantages such as inbuilt ACLs / Auditing on an per item / key basis, transactional integrity including commit and rollback, etc. etc.

            1. Roo
              Windows

              Re: "a tool Microsoft uses to hide its source code from being copied"

              "The would be because the Registry (basically a Btrieve database) can locate and update data many times faster than you can via parsing a flat file - regardless of what file system the text file is stored on."

              There is nothing stopping people from storing raw binary into a flat file if they wish to.

              Some software uses both human readable and binary formats, using tools to convert from the human readable to machine readable format, so the human readable config only has to be parsed once. The parsing can also be done offline so there is no runtime penalty as well...

              The *only* time I've found config parsing to be a serious bottleneck/problem is when XML is involved, and again people are free to choose something other than XML (and in my opinion they *should* choose anything but XML :P).

            2. Tom 13

              Re: faster than you can via parsing a flat file -

              The only reason you need the speed of a Btrieve database to update the Registry is because it is a monolithic flat file in the first place. Put the program configuration in text files in the individual program directories where they belong and it's not a problem any more. Yes, Windows would keep a ini file of the installed programs so you'd know where to look for them at install. But the only time the configuration files should be accessed is during install anyway.

            3. oldcoder

              Re: "a tool Microsoft uses to hide its source code from being copied"

              Obviously you have never worked with text files.

              They are faster than you think. Especially when you realize they only need to be read once by the application. So any minor delay is not worth the problems the registry causes.

          2. heyrick Silver badge

            Re: "a tool Microsoft uses to hide its source code from being copied"

            "How is the registry (which looks a lot like a directory tree) more "scalable" than a filesystem ?"

            LFAU? I wouldn't appreciate losing gigabytes of storage to handle a few tens of megabytes, maybe a hundred megabytes, of configuration data.

            1. Roo
              Windows

              Re: "a tool Microsoft uses to hide its source code from being copied"

              "LFAU? I wouldn't appreciate losing gigabytes of storage to handle a few tens of megabytes, maybe a hundred megabytes, of configuration data."

              It appears that you are asserting that the registry is a good option because file systems are shit at handling small files... There are file systems that pack (multiple) small files into larger allocation units (eg: FFS), so it's technically possible to be space efficient with lots of small files...

              Small files have always existed, and they will continue to exist, it's up to you whether you wish to suffer the cost imposed by a vendor's inadequate file system design.

              1. heyrick Silver badge

                Re: "a tool Microsoft uses to hide its source code from being copied"

                "It appears that you are asserting that the registry is a good option because file systems are shit at handling small files..."

                Nope, that's your assertion. I'm just trying to imagine what would happen to the file system of a regular Windows PC if it had to deal with its configuration as a billion tiny files instead of the big hulking mess that the registry is. Neither option seems satisfactory, but since Windows is extremely limited in what it understands as a file system, the registry is probably the better option there, for now at least. This doesn't mean it is a good option, and great file systems on other platforms are not particularly relevant if they're on other platforms and not where they're needed...

                1. DryBones
                  Holmes

                  Re: "a tool Microsoft uses to hide its source code from being copied"

                  " I'm just trying to imagine what would happen to the file system of a regular Windows PC if it had to deal with its configuration as a billion tiny files instead of the big hulking mess that the registry is."

                  Hmm. I rather think it'd read the configuration for the program when (if) it loads it up, like any sane person would do. The individual files are a million times smaller than the registry, so it's a doddle.

                  The Windows Registry is rather like memorizing the entire contents of your library instead of just looking at the table of contents for the book you want when you pick it up.

                2. Roo
                  Devil

                  Re: "a tool Microsoft uses to hide its source code from being copied"

                  "This doesn't mean it is a good option, and great file systems on other platforms are not particularly relevant if they're on other platforms and not where they're needed..."

                  Interestingly Wikipedia reckons that NTFS currently supports tail-packing like FFS. If MS have done the job properly you won't have to worry about small files munching all your "LFAU"s while you sleep. That's one less excuse for the Registry's existence.

        2. Anonymous Bullard
          Mushroom

          Re: "a tool Microsoft uses to hide its source code from being copied"

          databases are a far more scalable and sensible way of storing configuration informatino than flat text files

          "scalable"? Are we now writing applications that have over 1 million configuration parameters?

          If you think the registry is great, then you're a troll.

        3. Mike Pellatt

          Re: "a tool Microsoft uses to hide its source code from being copied"

          It doesnt run code from the registry. The registry entries are passed to Javascript as a process start up command.

          And that's functionally different from "running code from the registry" precisely how ??

      3. Steve Todd

        Re: "a tool Microsoft uses to hide its source code from being copied" @Def

        Microsoft certainly are saying that.

        In DOT.NET they brought back an improved version of the INI file in the form of the .CONFIG file. It's an XML file, normally with the same name as the EXE it relates to. You can use them to store public and private configuration data just like the registry, but with less chance of a clash.

        1. Anonymous Coward
          Big Brother

          Re: "a tool Microsoft uses to hide its source code from being copied" @Def

          @Steve Todd: "Microsoft certainly are saying that"

          How exactly does this work to prevent source code from being copied?

        2. david 12 Bronze badge

          Re: "a tool Microsoft uses to hide its source code from being copied" @Def

          >In DOT.NET they brought back an improved version of the INI file

          Perhaps they might have brought it back, if it had ever gone away. MS continued to use INI files for applications where it made sense: the important thing that changed was that the Windows API that accessed INI files was captured and pointed at the registry.

      4. tom dial Silver badge

        Re: "a tool Microsoft uses to hide its source code from being copied"

        The relevant question is whether THIS database can be replaced by text files, and the answer is "yes it can."

      5. channel extended

        Re: "a tool Microsoft uses to hide its source code from being copied"

        yes at their base ALL ini databases are text.

      6. Scroticus Canis Silver badge
        Gimp

        Re: "It's a database" ¿Que?

        The Windose registry is a database? LMFAO. Such great data integrity and resilience. Oh well some people think Access is a db too.

        Feeling even more validated as a Fanbooi after this little malware gem.

        1. Anonymous Coward
          Anonymous Coward

          Re: "It's a database" ¿Que?

          > The Windose registry is a database?

          Yes it is. A database is defined as "a structured set of data held in a computer, especially one that is accessible in various ways."

          Your .ini files are also databases, so are XML files, most of the stuff under /etc (and their per-user counterparts when applicable), and so on.

          I have no idea what a "Fanbooi" is, but if you use a computer system of any description, your user preferences and configuration data will be stored in a structured way, i.e., in a database of some type or another.

      7. oldcoder

        Re: "a tool Microsoft uses to hide its source code from being copied"

        Not a very good database...

        And according to all the XML enthusiasts, yes it could be replaced with text files.

        and based on the fact that it is a key->value database, YES it could be replaced. If nothing else,a directory using a file name for a key and the contents of the file for the value.

        Oh right - just like UNIX systems have used for 40 years.

      8. This post has been deleted by its author

      9. JeffyPoooh Silver badge
        Pint

        Re: "a tool Microsoft uses to hide its source code from being copied"

        Data is data. There's nothing magical about "data bases". Back in the day, we wrote our own more-advanced data structures using simpler elements provided by whatever language you might be using. It should be trivial to write a utility to convert a database into a text file and back again. This is Data Structures 101, very basic.

    2. lansalot

      Re: "a tool Microsoft uses to hide its source code from being copied"

      For those that missed it in the article....

      "To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."

      1. Anonymous Coward
        Anonymous Coward

        Re: "a tool Microsoft uses to hide its source code from being copied"

        ""To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox.""

        Or scan the Registry - which many AV tools can do anyway.

        1. AlbertH
          FAIL

          Re: "a tool Microsoft uses to hide its source code from being copied"

          Or scan the Registry - which many AV tools can do anyway.

          Errrr.... No. There is deliberate obsfuscation in the Registry in an effort to conceal some of the inner workings of this sorry excuse for an Operating System. There are no AV Tools that can decrypt the Registry to a sufficient extent to be able to find (and eliminate) the malicious code. Furthermore - who'd want some AV software altering the contents of the most vulnerable parts of the "Operating System"?

          Incidentally, this isn't really new - there was credit-card detail stealing software that was hiding itself in the Windows 98 Registry. It was just kept quiet because it showed just how useless the AV Software actually is.....

      2. MrDamage

        For those that missed it in the article....

        While it is true that an AV solution should catch the infected file before it executes it's payload, the questions that need to be asked are;

        "Why does Microsoft still insist on the failed concept of security through obscurity?"

        "Why the fuck is it possible for a word processing document to reach that deeply into the registry and affect those changes?"

        1. Ken Hagan Gold badge

          Re: For those that missed it in the article....

          "Why the fuck is it possible for a word processing document to reach that deeply into the registry and affect those changes?"

          Because the luser in question has loaded that document from their admin account, like everything else that they do. Sane Windows users will probably find that they are immune because the malware authors didn't bother to include a privilege escalation attack in the WORD payload.

      3. Ken Hagan Gold badge
        Facepalm

        Re: "a tool Microsoft uses to hide its source code from being copied"

        Yeah, dunno what the blazes the reference to source code was for and it seems pretty obvious to me that an AV tool could scan the registry as easily as the file system, but why let obvious facts stand in the way of a good piece of scaremongering.

        AV tools have been lagging actual malware for ages now. The AV business is a giant scam. Windows is pretty secure if you aren't a dick and use the same account protections that UNIX users have practised for decades.

        Oh, and I gather there's a film at 11.

    3. Steve Graham

      Re: "a tool Microsoft uses to hide its source code from being copied"

      Not "alone", really. For example, the Gnome infrastructure in Linux is based on a binary "registry" which needs specific tools to access it.

      I think human-readable configuration files (even XML) are always a better and more resilient approach.

      1. Anonymous Coward
        Anonymous Coward

        Re: "a tool Microsoft uses to hide its source code from being copied"

        I think human-readable configuration files (even XML) are always a better and more resilient approach.

        Certainly flat text files are LESS resilent than a database with transaction logging and commit / rollback like the Registry. Better in that they can be sometimes human readable maybe. Inferior in pretty much any other respect.

        1. Ken Hagan Gold badge

          Re: "a tool Microsoft uses to hide its source code from being copied"

          "Certainly flat text files are LESS resilent than a database with transaction logging and commit / rollback like the Registry. Better in that they can be sometimes human readable maybe. Inferior in pretty much any other respect."

          /etc on UNIX systems is often kept under some kind of revision control system.

          A similar system could be written for the registry, but I'm not aware of one.

          Registry hives can be mounted on other systems if you want to read or recover them offline.

          The registry's pre-parsed content is more efficient than plain text, but harder to include comments.

          But GUIDs everywhere are just plain evil.

      2. channel extended

        Re: "a tool Microsoft uses to hide its source code from being copied"

        And Gnome software has been going to s**t latley.

    4. oiseau

      Re: "a tool Microsoft uses to hide its source code from being copied"

      > ... finally unveiled to be the ultimate tool in the virus writer's arsenal.

      > ... thrust this abomination of an excuse on its end users in replacement of the trusty .ini file

      Finally ...

      Been saying this for years (since W95 came out) only to be laughed at and ridiculed by my peers.

      My sincere thanks to you.

    5. Inachu

      Re: "a tool Microsoft uses to hide its source code from being copied"

      The sad part is there are some so called pc nerds who say sure the registry can hold binary data but can not run from the registry.

      WHO ARE THEY FOOLING!

      Amateurs at Anandtech computer tech forum think they know who that security researchers who have been doing this for years and I myself have witnessed such binary data in the system registry running and reinfecting networked computers and the infection of the binary did not need any helping file on the c: drive. I could possibly agree to maybe there was a root kit. But nothing any amature could find.

  2. Destroy All Monsters Silver badge
    Paris Hilton

    What happened to Microsoft's lauded "Security From the Ground Up" initiative?

    Marketing wants more complexity and nice colors. Engineering is bitching and moaning about it. The guys in charge have no clue what a computer is all about.

    1) Marketing is important, it brings in the bacon and throws mightily good parties

    2) Engineering are boring nerds who can be bought with a few cookies or the threat of outsourcing

    3) The guys in charge ... are the guys in charge.

    PLAYMOBILIZE IT!

    1. Tom 13

      Re: What happened to Microsoft's lauded "Security From the Ground Up" initiative?

      Well, if they had told the truth, even the fools wouldn't have believed them:

      "New and Improved!! Security from the Ground Down!"

      We dug a new hole in which to hide our obscure information, and moved all the critical bits there. This time the miscreants really won't be able to find it.

  3. Khaptain Silver badge

    No files ?

    Then what is the word document if it is not a file ? Even if the word document is opened in memory and although it doesn't exist on disk it stills resides as a "file" in memory. Albeit a very ephemeral file.

    Please correct me if I have misunderstood the concept.

    1. A Non e-mouse Silver badge

      Re: No files ?

      The Word document is just the infection route. Once the payload is in the Registry, no file is needed as the payload is run directly from the Registry.

      1. stucs201

        Re: No files ?

        Is the registry not ultimately stored in a file?

        Surely this only gives a short time where it won't be spotted. Scanners will just start to take a little longer once they're updated to start looking in the registry too, either via the API or by decoded the file(s?) it's stored in directly.

        1. Matt Siddall

          Re: No files ?

          Given the likelihood of false positives, I'm not sure I like the idea of AV solutions checking the registry as well. If they screw that up (and they will) the machine could easily be bricked.

          1. fandom Silver badge

            Re: No files ?

            AV programs have been scanning the registry for some time now.

            1. AlbertH
              Mushroom

              Re: No files ?

              "AV programs have been scanning the registry for some time now."

              Only the parts that are readable to you. They can't read the larger part of the Registry because it's deliberately obsfuscated. The malware is written to the obsfuscated part of the Registry, of course.

              Remember - all "Anti-Virus" software is reactive and will invariably lag months behind the development of new malware. Remember too that it's trivially easy to write malware for Windows - it's always been (effectively) Open Season, because the fundamental structure of the "OS" is entirely wrong.

              A series of stupendously stupid decisions made by the infamously stupid Bill Gates back in the 80s - placing "Ease Of Use" above every other possible value - has made every version of Windoze vulnerable to simple attack.

              [Sue me if you disagree, Bill - you know where I am!]

        2. Anonymous Coward
          Anonymous Coward

          Re: No files ?

          "Is the registry not ultimately stored in a file?"

          Yes, but it is also above-root permissions because it has DRM functions.

          Can't have the owner/administrator of the computer being in change now, can we?

        3. petur
          Mushroom

          Re: No files ?

          "Is the registry not ultimately stored in a file?"

          Waiting for the first AV program to detect a virus in the registry and thus to delete the file :D

        4. Tom 13

          Re: Surely this only gives a short time where it won't be spotted.

          I wouldn't count on that.

          Remember, the AV guys have to play by the rules MS establishes for third party vendors. They may have a better deal than MOST third party vendors, but MS still won't let them much around with parts of the registry. The malware miscreants are under no such restrictions.

          1. Jack of Shadows Silver badge

            Re: Surely this only gives a short time where it won't be spotted.

            Spybot Search & Destroy (safer-networking.org ONLY) has been doing this kind of mucking with the registry since the late 1990's. Catches a whole lot else out there, offers some immunization, and works. Lastly, you can un-muck if needed.

            Disclaimer: None/no connection, just been using it since forever.

      2. Anonymous Coward
        Anonymous Coward

        Re: No files ?

        "The Word document is just the infection route. Once the payload is in the Registry, no file is needed as the payload is run directly from the Registry".

        Nevertheless, the original Word document presumably remains on the system. So there IS a file to look for, after all.

        1. Anonymous Coward
          Anonymous Coward

          Re: No files ?

          Perhaps the document self-destructs, removing that lead?

          1. Anonymous Coward
            Anonymous Coward

            Re: No files ?

            > Perhaps the document self-destructs, removing that lead?

            User Idiot open email attachment - Registry infected - Idiot closes attachment and deletes email. No files left for AV to scan.

            1. Anonymous Coward
              Anonymous Coward

              Re: No files ?

              @Condiment

              Computer users whose level of sophistication is below yours are not "idiots". In the same way that you should not be called an idiot just because you are less skilled in some field compared to someone else.

              I've always held that we, developers, are the idiots, given that we seem utterly unable to design systems that do not confuse users, and do exactly what users want, no more and no less. I shall keep trying though.

        2. Anonymous Coward
          Anonymous Coward

          Re: No files ?

          Would the two down-voters please explain what they object to, or disagree with, in my post? These comment threads are, after all, meant to be a vehicle for reasoned discussion. There's no point down-voting a comment if no one knows why, or understands why you didn't like it.

        3. Hans 1 Silver badge
          Facepalm

          Re: No files ?

          @Tom Welsh

          >Would the two down-voters please explain what they object to, or disagree with, in my post? These comment threads are, after all, meant to be a vehicle for reasoned discussion. There's no point down-voting a comment if no one knows why, or understands why you didn't like it.

          I did not bother down-voting you, but you think you're a smart ass, right ???? You moan cause you're getting down votes, oh, how sad ... I feel for you, really ... I am about to cry now .... Now, listen, it does not matter if the word document remains on the drive or not, that file is not executed each time the malware loads itself into memory so it does not count. IT IS NOT THE EXE WITH THE VIRUS, IT IS THE VECTOR.

          The article claims no file is executed to load the virus into memory each time the system reboots.

          So, you got it wrong, there happy ? You asked for it!

          1. Anonymous Coward
            Anonymous Coward

            @Hans 1 (Re: No files ?)

            "The article claims no file is executed to load the virus into memory each time the system reboots".

            As I suspected, it is you who got it wrong. Please quote the exact words in which the article "claims no file is executed to load the virus into memory each time the system reboots".

            The headline says, "Windows Registry-infecting malware has no files, survives reboots". Nope, that ain't it. Although, as several other comments have pointed out, the headline is inaccurate as the attack does use a file.

            The first sentence reads, "Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files". Nope, not that either. It says nothing about execution or loading a virus. (Note that "installing files" is slightly different from somehow using a file, as the attack apparently does).

            Paul Rascagneres is quoted as saying "All activities are stored in the registry. No file is ever created". However it is perfectly obvious that a file IS created: the Microsoft Word document. I have never heard of such a document that did not reside in a file. What he perhaps meant to say was that the exploit code persists across reboots by being stored in the registry, rather than in a newly created file.

            Rascagneres then confuses the issue still more by continuing, "To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one)..." But the only attack he has described (according to the article, at least) is one that involves a Word document. If there is no Word document, then (a) he is talking about an entirely different attack, and (b) it apparently works by magic, with no vector.

            I don't think I'm a smart ass. I just try to think logically and make sense of the facts and statements that I read. Thanks for explaining your train of thought; now I can see where we differ, although I wish you could have done so more politely.

            1. Anonymous Coward
              Anonymous Coward

              Re: @Hans 1 (No files ?)

              > But the only attack he has described (according to the article, at least) is one that involves a Word document.

              It does not mean that is the only possible attack vector, just the only one he explored.

  4. ukgnome Silver badge
    Paris Hilton

    And now you have infected me

    because I read it on here

    Paris, obvs - >

  5. Anonymous Coward
    Anonymous Coward

    so I assume someone know of a reg editor that can read non ascii ?

    1. Naughtyhorse
      Joke

      reg editor

      I would hope that all editors on this site could read non ascii

    2. Paul 129
      Thumb Up

      YES

      Well Almost :-)

      Hivex, read and write a registry structre. Registry permissions arn't an issue

      Removed something like this a couple of months ago. Still had a dll driver that kept putting the registry entry back.

      Always said the registry was the cause of all evil. Been blasted here for my comments. BTrees and a faster registry has just allowed more cruft to collect there.

      Downvote this if you think the registry is Simple, Straight forward, Elegant or Well documented.

  6. dajames Silver badge
    Angel

    This is silly.

    If the virus code is capable of writing registry entries with non-ASCII keys -- and of getting Windows to access these keys -- to effect an infection then it must also be possible for anti-virus code to look for these keys (or any suspicious keys in critical places) and disable them.

    If regedit can't access these keys then that's probably just a limitation of regedit's GUI.

    As with any new virus, the anti-virus products will have to play catch-up until a working remedy can be made available, but the fact that the infection here uses the registry rather than normal files changes nothing.

    Many current malware scanners already scan the registry for entries that identify spyware and andware, so this is nothing new.

    1. Tony Paulazzo

      Re: This is silly.

      Many current malware scanners already scan the registry for entries that identify spyware and andware, so this is nothing new.

      I thing El Reg needs to update this story, it kind'a feels like a scare mongering story, since the above is (and has been) true for some time. Unless the code is so obfuscated that nothing can touch it once installed - code within code within code, this is actually a non story... or the end of Windows as we know it! El Reg?

      1. Frankee Llonnygog

        Re: This is silly.

        Insecurity through obfuscation. Oh, the irony

      2. Tromos

        Re: This is silly.( @Tony Paulazzo)

        No, it was Windows 8 that was the end of Windows as we know it.

    2. Forget It

      Re: This is silly.

      Agreed

      I think MalwareBytes has been looking into hidden register values for years.

      1. AlbertH
        Alert

        Re: This is silly.

        "I think MalwareBytes has been looking into hidden register values for years."

        You're wrong. It might look at a few of the normally readable Registry entries, but won't get to the system-level stuff - which is where the malware gets concealed.

        This and the next couple of Cryptolocker attacks are going to render Windows entirely useless.

        Sell your stock now!

    3. david 12 Bronze badge

      Re: This is silly.

      >If regedit can't access these keys then that's probably just a limitation of regedit's GUI.

      Yes, regedit only correctly displays keys that a user can edit correctly. And instead of crashing, or crashing and destroying the registry, or allowing you to write garbage to keys that aren't in the expected format, it does not show those keys -- though you can still read and write through the standard API.

      There are actually 'hidden' keys as well. (And 'encrypted' keys.) Windows copy protection/registration data is stored in a section of the registry that users don't normally have access to. Example 'hidden' keys are HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM.

      The security implications of having keys and values, or INI files, that an ordinary user can't find and examine are well known. The suggestion that any modern Linux distribution has transparent and meaningful configuration files that an ordinary user can examine and alter would be laughable if it wasn't so patently arrogant and dishonest.

  7. Martijn Otto

    What I don't get

    is how this stuff gets executed. You have some non-ascii encoded cruft in your registry. You have a key in your registry creating an autostart entry to be ran at boot-time.

    How does this autostart entry get to this non-ascii encoded cruft? Can an autostart entry refer to another registry key? Somehow it seems Microsoft left a door ajar somewhere waiting for it to be exploited.

    1. TheOtherHobbes

      Re: What I don't get

      >Somehow it seems Microsoft left a door ajar somewhere waiting for it to be exploited.

      Funny how that seems to happen. A lot.

    2. Anonymous Coward
      Anonymous Coward

      Re: What I don't get

      >Can an autostart entry refer to another registry key?

      Yes, a value may refer to another value. In a previous life as a database programmer, I used this common feature of common database systems quite a lot.

      1. Martijn Otto

        Re: What I don't get

        Can your database system then execute the binary data being referred to without having an external file somewhere on the filesystem?

        1. david 12 Bronze badge

          Re: What I don't get

          > Can your database system then execute the binary data being referred to without having an external file somewhere on the filesystem? <

          In the obvious sense, this is a description of what a "relational" database is, by definition. But I'm sure that by 'binary' you mean something like 'encrypted' or 'encoded'. And yes, since a releational database system can execute code stored in the database, it can execute code to un-encrypte and un-encode programs stored in the database, and then execute that code.

          Some old simple non-relational database systems lacked that ability to do that. Turn-of-the-century database systems presented a malware-surface because of that ability. New, modern database systems are sand-boxed to prevent that from affecting your wider system.

          It would be nonsensicle to suggest that a system-configuration database could be 'sandboxed' from the system it is meant to configure, so the solution must lie either in reducing the capability of your computer system (for example by using a limited flat-file database system) or in hardening the system to prevent re-configuration in undesired and hidden ways.

    3. Fatman Silver badge

      Re: What I don't get

      Somehow it seems Microsoft left a door ajar somewhere waiting for it to be exploited for the NSA to exploit.

      FTFY!!!!

  8. Mystic Megabyte Silver badge
    Linux

    Treacle OS

    I never did understand why any Windows program could write a whole load of crap into the registry.

    Remember those AOL CDs that came in the post every week? If you were daft enough to install one a search of the registry revealed AOL in a zillion places, even after uninstalling it!

    I got annoyed with the inevitable slow-down of my PC and moved to Linux after XP.

    As mentioned above, MS's collusion with Hollywood and DRM was their downfall. I want to be the admin of my own machine.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Treacle OS

      "Remember those AOL CDs that came in the post every week? If you were daft enough to install one a search of the registry revealed AOL in a zillion places, even after uninstalling it!"

      Just image how much worse it would be if all that cruft was now added to the config files in Linux!

      "As mentioned above, MS's collusion with Hollywood and DRM was their downfall. I want to be the admin of my own machine."

      I find it far easier to bypass such DRM and find stuff that plays my content on Windows - Linux is quite often a real PITA to watch stuff on.

      1. jason 7
        Meh

        Re: Treacle OS

        Indeed and then everyone moves to Linux...what happens then?

        Linux becomes bedevilled with the issues Windows has now.

        That's the price you pay for going mainstream.

        1. Anonymous Coward
          Anonymous Coward

          Re: Treacle OS

          That's the price you pay for going mainstream.

          Yes, the bulk of users are idiots.

          The vast majority of Windows users are the ones who give us technical windows users a bad reputation.

          Sure, Windows has its faults - but they are exaggerated due to its inept user-base.

          1. jason 7

            Re: Treacle OS

            "Yes, the bulk of users are idiots."

            Yep, transpose 90% of Windows users over to Linux or OSX overnight and watch the carnage continue as though nothing had happened.

            1. Roo
              Windows

              Re: Treacle OS

              "Yep, transpose 90% of Windows users over to Linux or OSX overnight and watch the carnage continue as though nothing had happened."

              I suspect that you will find that about 10% of that 90% have already migrated to OSX/iOS, of those maybe half would be folks who were beaten into retreat by Windows, the other half would be techies would like stuff that works well and looks nice.

              The thing is, even if there is massive carnage happening in OSX/iOS land I can ignore it because the potholes are being dug in departed Steve's FruitLoop Lawn.

              For that matter in Linux land it's always carnage, same with OpenBSD land too, however for the Open source projects a much higher proportion of the carnage (aka R&D) makes it's way to the outside world (for better or worse).

              Retrospectively I am glad that Microsoft have been around, but I would have preferred it if they chose to compete via innovation rather than domination. For example, they were talking about delivering WinFS (a FrankenFileSystem consisting of a database engine with a file system API bolted to it's neck) in 1996 with Cairo... They failed and failed again with Longhorn. Clearly this feature has been eagerly awaited because some developers have been using the Registry as a WinFS instance all these years anyway... :)

            2. Anonymous Coward
              Anonymous Coward

              Re: Treacle OS

              "transpose 90% of Windows users over to Linux or OSX overnight and watch the carnage continue as though nothing had happened."

              Or even get worse. Both Linux and OS-X have had more known security holes in recent years than current Windows versions.

          2. Hans 1 Silver badge
            Windows

            Re: Treacle OS

            The Windows ecosystem is full of idiots up there in the 90% ... I think the knowledgeable windows guyz are the worst, they have no excuse ... the others ? They do not know any better.

            Window cleaners and surface specialists allowed near computers!

        2. AlbertH
          Facepalm

          Re: Treacle OS

          "Linux becomes bedevilled with the issues Windows has now.

          That's the price you pay for going mainstream."

          I'll use small words, so that the Windows users can understand:

          Linux is so basically different that the many kinds of malware that afflict all versions of Windows cannot work. To infect a Linux machine with a virus (yes, it is possible), you actually have to deliberately install it yourself! Even then, it will only affect your own files - not the underlying system or other user's files.

          Hopefully, this will end this Windows nonsense for good!

          1. Anonymous Coward
            Anonymous Coward

            Re: Treacle OS

            "Linux is so basically different that the many kinds of malware that afflict all versions of Windows cannot work. To infect a Linux machine with a virus (yes, it is possible), you actually have to deliberately install it yourself! Even then, it will only affect your own files - not the underlying system or other user's files."

            Two words: CODE RED. It was a Linux worm and was able to spread in spite of its safeguards.

            In any event, it differs in kind but not in degree to pwn a Linux box without user intervention. You need to (1) locate an open port (given the port-centric nature of many UNIX services, you're likely to find at least one), (2) exploit it to reach some kind of user-level control (happens all the time), and (3) employ a privilege escalation to gain root access (happens, too).

          2. Anonymous Coward
            Anonymous Coward

            Re: Treacle OS

            "Linux is so basically different that the many kinds of malware that afflict all versions of Windows cannot work. To infect a Linux machine with a virus (yes, it is possible), you actually have to deliberately install it yourself! Even then, it will only affect your own files - not the underlying system or other user's files."

            You are deluded and / or poorly informed. In several ways Linux's security design is actually inferior to Windows - for instance no proper support for constrained delegation and insecure bodges like SUDO to work around it. You might want to Bing "Morris Worm", "Linux.Darlloz", "Linux/Slapper" for several examples of what can happen on *Nix platforms without deliberately installing anything!

            "Two words: CODE RED. It was a Linux worm and was able to spread in spite of its safeguards."

            Erm - no - pretty sure that one was on Windows?!

      2. Anonymous Coward
        Anonymous Coward

        Re: Treacle OS

        The comment of a typical Windows user...

        1. jason 7

          Re: Treacle OS

          Not really. Just not being naive about anything that goes totally mainstream. When that happens so does compromise.

          Linux could go mainstream for laptops/desktops...in ChromeOS/Chromebooks but I bet that's not the end result the Linux community was always hoping for.

          Mainstream.

      3. Marcelo Rodrigues

        Re: Treacle OS

        "Just image how much worse it would be if all that cruft was now added to the config files in Linux!"

        $HOME/.aol/*

        /etc/aol/*

        rm -r /etc/aol/ $HOME/.aol/*

        Done. Next.

    3. Anonymous Coward
      Anonymous Coward

      Re: Treacle OS

      Looking at the downvotes, there are quite a few AOL fans on here..

      1. Anonymous Coward
        Anonymous Coward

        Re: Treacle OS

        You sure its AOL and not MS?

        There is a common trend here, anything related topic that slates MS and is followed by accurate representation of the reality by fellow ElReg commentators is usually slapped down with down votes..

        Glad I stopped using it since its obvious where all that money is being spent..

        Redmond Rota:

        1. get in

        2. google searches for related headlines

        3. Found any headlines that slams MS ?

        4. any negativity ?

        5. Downvoted ?

        6. If yes bonus in the next wage pack

        7. If no p45 is in Billy Gates old office waiting

  9. Anonymous Coward
    Anonymous Coward

    Config files just work

    Config files are about a million times better than the clusterfuck that is the windows registry. Allow me to list their advantages:

    - they allow machine level defaults to be established, with user level overrides.

    - they're human readable.

    - they allow mixing of data and information and examples. Most config files are self documenting, packed with comments and examples that tell you how to configure the app. When'd you last see a cryptic registry entry that had some help embedded?

    - they don't allow things to be hidden or obfuscated like the registry and its UUID and hidden pages and binary values bullshit.

    - they can't be corrupted or broken, like the Windows registry tends to get.

    - they can be selectively backed up and restored. If an app is misbehaving for a user, you can pull their config from a week ago. Try doing that easily with a registry, if you even knew what branches and keys needed restoring.

    - apps can't mess with other apps config settings, or add malicious keys or startup apps.

    - getting rid of an apps config is as simple as removing its directory/file in /etc or its dotfile in your home dir. Try getting rid of an app that's vomited all over the registry.

    - they play nice with source control systems. Stick your /etc into svn and you have effortless, incredibly strong configuration management. Try doing that with apps that spew cryptic registry keys, all constantly changing.

    - they're not proprietary, can be read, edited, by anyone. Has microsoft even documented the registry file format, or are all the registry editors just guessing from reverse engineering them?

    That's just off the top of my head. There's probably loads more reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: Config files just work

      I read that down to

      >- they can't be corrupted or broken,

      -- and then I came here to write this. If you are seriously suggesting that you never had a broken Linux system that you fixed after weeks of part time work when you found some entry in a config file that some configuration script had written, that had broken your display, or your sound, or your keyboard, or your network card or some other dam thing, then

      you must be a very young person.

    2. Just Enough

      Re: Config files just work

      And here are the down sides;

      - they work to a thousand different formats and standards. Every application is free to devise its own format.

      - there are no naming standards. Every config file can be called anything the application wants.

      - there are no location standards. Every application can hide its config files where-ever it wants.

      - end functionality may depend on the settings from an undetermined number of separate config files.

      So, should you ever be unlucky enough to need to modify a config file you have to;

      - discover if indeed there is a config file with what you need to alter

      - find out what it's called. Remember this may be different on every installation. Feel free to guess what it might be.

      - find out where it's kept. Remember this may be different on every installation. Finding the file is no guarantee that the application is actually using that particular copy. Not finding the file is no guarantee the file doesn't exist somewhere else, under a different name. Good luck!

      - decode the format of the config file. Remember it may (or may not) be sensitive to white space characters and positioning within the file. The file may work to a different character set than your chosen text editor. Or may not. Feeling lucky?

      - Remember all that you find in the config file may interact with the contents of other config files. Want to know what they say? Go back to the start of this list and repeat the process. Be prepared to recurse back multiple layers of files, all with the same difficulties.

      Of course you could read the self-documentation and examp ... <snort> <guffaw!> Sorry, I knew I couldn't get through that without a laughing fit. Sure, there are some that are good. But most have zero documentation aimed at the end user. They are almost all exclusively written by the developer and consequently aimed at other developers or power users.

      Now you could say that many of the above criticisms could apply to the registry, but at least you know where to find that and it only has one format and one copy.

      1. Inachu

        Re: Config files just work

        The one part is very true. config fles can reside anywhere!

        I hate that. All you non microsoft config files stay out of the windows path and subdirectories!

        If you want your cfg file to be read at boot time then add the path to the environment variable!

  10. aregross

    The old (really old) version of 'Ad-Aware' would alarm the user when 'something' wanted to write to the registry. They could then Allow or Dis-Allow. This was a godsend to me as an IT Manger as it prevented a number of infections. Why isn't this built-in to Windows from the start? Seems to me to be the prefect solution... if you weren't intentionally installing a piece of software you could 'Just say NO'!

    1. Anonymous Coward
      Anonymous Coward

      >alarm the user when 'something' wanted to write to the registry.

      >Why isn't this built-in to Windows from the start?

      Because it was a god-awful nuisance that interfered with actual work.

  11. Mage Silver badge

    Silentrunners

    Does the Registry Execution Point analysis tool here on Silentrunners.org find this?

    I find it a very useful tool, coupled with rebooting in safe mode and using a couple of root kit scanners is better to check and clean manually than any performance crippling AV. (see gmer for an old one)

  12. Jess

    A modification to how windows works could stop this.

    But XP would miss out of course.

  13. Anonymous Coward
    Anonymous Coward

    You can always delete autoexec.bat...

    ...while you can't delete your registry. Well, not all of it.

    I had "HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run" hot-keyed on a DMZ test machine just to see what would embed itself there from time to time.

    From Apple's Quicktime to Adobe Reader, to PSafe, to Hao123, I had all sort of viruses spread over there.

  14. Inachu

    Executables in the registry.

    I've known this for over 8 years now.

    What is new to me that they use a microsoft trick so you can not read the code.

    Malware writers have been hiding junk in the registry for years now and was one of the way they would reinfect the persons internet browser.

    1. david 12 Bronze badge

      Re: Executables in the registry.

      > A microsoft trick so you can not read the code.

      MS is a big company, so all kinds of s-t comes out of there. But they have a private API for writing hidden and protected information to the registry, so if this 'trick' was used deliberately to hide information in the registry, it was done by some idiot acting independantly.

      On the other hand, two cents says that some blogger found a limitation of regedit, and some comentard described it as a feature.

  15. Bladeforce

    The Windows Registry..

    ..sooo 1990's just like windows itself

    1. Anonymous Coward
      Anonymous Coward

      Re: The Windows Registry..

      "The Windows Registry..

      ..sooo 1990's just like windows itself"

      As opposed to flat text config files - which are so 1970s - just like *Nix type OSs?

  16. Anonymous Coward
    Anonymous Coward

    Inconsistency is the problem, not the registry per se

    I wouldn't mind the registry so much if it was the only way to store config settings. OK, so system stuff is in HKLM and user stuff in HKLU? Ok, I get that. Shame about the bloat, but I'll survive.

    What drives me crazy is that we have the registry AND a bazillion little turd pebbles lying all over the rest of the disk. If Word stores half its per user config in the Registry, why is everyone's personal normal.dat in c:\users\foo\bar\blah\AppData\something\Roaming?

    Do one, or the other, but for the love of god, not both at the same time.

  17. Goat Jam

    Ah yes the dreaded registry.

    On my Linux machines, if I want to rebuild a server all I need to do is a clean install followed by apt-get/yum install and then in the vast majority of cases you simply copy a configuration file over from the old machine. Voila! The job is done in an hour.

    Back in the day you could do much the same with Windows. In fact I remember the time when you could simply copy the MS Office directory from machine A to machine B and it would work perfectly fine.

    This is clearly a less than ideal situation from the perspective of the company who is trying to sell you MS Office however and thusly the Windows registry was born.

    With the registry in place the configuration part of any particular application is disconnected from the application itself and placed into a binary blob that is impossible to copy. To obscure things even more the configuration for an application such as, for example, MS Office, is peppered throughout the registry instead of residing in its own "branch" of the tree and is therefore mixed in with all the configuration details of all the other applications in the system. Further obfuscation is achieved by "hiding" binary stuff (ie "non ascii") and borking the registry editing tool so that it will not allow you to even see the "non ascii" parts let alone edit them and we have a sufficiently tangled mess that the only possible way to install something now is to go through the complete install process which requires access to install media and the associated DRM hoops that must be jumped through.

    I invite people to do a search in their registry for the keyword "outlook" and behold the thousands of references littered throughout the directory tree. Then imagine that multiplied by the number of applications that you have installed. It is little wonder that the registry is constantly bloating up and that uninstallers consistently fail to actually uninstall themselves properly.

    There is absolutely no valid reason that a product like MS Office requires such a ludicrously complicated and widely dispersed configuration other than as a means for Microsoft to create such a complex mess of details so as to make using illicit copies of their software more difficult.

    For the numbskulls earlier in this thread who have bought into the whole "but its a database and couldn't be done in any other way" nonsense you really should not be commenting on stuff you know nothing about.

    1. Anonymous Coward
      Anonymous Coward

      "if I want to rebuild a server all I need to do is a clean install followed by apt-get/yum install and then in the vast majority of cases you simply copy a configuration file over from the old machine"

      Even easier on Windows Server - you can use Restore Settings to return it to a clean install state.

      "With the registry in place the configuration part of any particular application is disconnected from the application itself and placed into a binary blob that is impossible to copy"

      Which is far more sensible / scalable / performant than flat text files. They are not impossible to copy - configurations can easily be exported to text and can then be imported.

      "MS Office, is peppered throughout the registry instead of residing in its own "branch" of the tree and is therefore mixed in with all the configuration details of all the other applications in the system"

      MS Office has its own application configuration "branch" in the Registry. Well a couple - one for the machine specific config and one for the user specific config.

      "Further obfuscation is achieved by "hiding" binary stuff (ie "non ascii") "

      It's generally not hidden at all. You can view it as ACSII and / or as hex values.

      "and borking the registry editing tool so that it will not allow you to even see the "non ascii" parts let alone edit them"

      You can view binary data. What this Malware has don't is changed a KEY NAME to be non ASCII which is not supported - and therefore not visible in the editor utility. There are other tools to let you see this sort of corruption / error and remove it.

      "the only possible way to install something now is to go through the complete install process"

      Nope - you can install something manually if you really want to. However I cannot see any reason to want to do so versus using Windows Installer. Which is very powerful and is far superior to any Linux installer I have seen to date.

      "which requires access to install media and the associated DRM hoops that must be jumped through."

      You generally only need the MSI file. Office doesn't require any actual "media". The only DRM is the license key check. There is no DRM control over Office install executables and media.

      "There is absolutely no valid reason that a product like MS Office requires such a ludicrously complicated and widely dispersed configuration other than as a means for Microsoft to create such a complex mess of details so as to make using illicit copies of their software more difficult."

      Utter bollocks - as above the configuration is not in general 'widely dispersed' and that configuration location has nothing what so ever to do with the way the Office copy protection works.

      "you really should not be commenting on stuff you know nothing about."

      Pot, meet kettle.

  18. RandiO

    Proud Windows Idiot

    I don't mind being a Windows idiot or even being called one! Unfortunately, I don't see too many constructive posts here that allow us idiots to continue being idiots. I am also one of those real retarded Windows idiots who refuse installation of any fancy-schmancy AV or security applications and don't really lose sleep over whether my system is going to get infected, each time I snooze (or sneeze). To add insult to injury (and to p^ss off most of you), I also use Microsoft Office and feel console (command prompt) is so friggin' 80s!

    I am inclined to think that there maybe a difference between being an idiot and being totally clooles, though. Hence, *I image/backup my WinOS every few months, and *I don't retain my important data/files on the same drive as the OS. I do my share of BT downloads and used to visit warez sites before the advent of BT. I am yet to lose any of my precious data/files to malware in the past 40+ years. But then, my PC is probably a zombie sleeper-cell ready to be invoked into action, if it has not been already awakened w/o this idiots knowledge!

    1. AlbertH
      Linux

      Re: Proud Windows Idiot

      "Proud Windows Idiot"? You certainly are.

      Hopefully this will be the end of this Windoze nonsense. If there's any residual sense in Redmond, MS will licence BSD and put their useless shiny stuff on top (like Apple did some years ago).

      Unfortunately, the "Proud Windows Idiots" of this world will still manage to give the scammers their credit card details and continue to send their money to Nigerians in the hopes of big payouts......

      1. Mike Pellatt

        Re: Proud Windows Idiot

        ....MS will licence BSD...

        I suggest you read the BSD license. You will see that MS, along with every other individual and organisation in the world, already has one. As long as they comply with its terms.

    2. binarytux

      Re: Proud Windows Idiot

      "40+ years" ? There was a Windows OS in 1974 and earlier?

  19. Anonymous Coward
    Anonymous Coward

    Do the security thing

    I presume this is a HKLM registry issue so the Word doc was opened with an Administrator account or the user proceeded past the User Account Control prompt.

    HKCU infections can be cleaned by deleting the user account so persistence under that account would then cease.

    As long as you stick to the rules and NEVER browse the internet and open unknown files with an elevated account you shouldn't need to worry about this.

  20. Anonymous Coward
    Anonymous Coward

    Folks, the registry is not the issue here. It's just a storage and delivery mechanism just like the word file or the disk the OS is installed on.

    I took the trouble to actually follow the link to the explanation of the exploit and the real problems are that first of all, Microsoft assume that a Powershell script is safe to run without asking for permission simply because it's supposed to run interactively. Secondly and perhaps worst of all is that a script is able to copy code into memory and execute it with no questions asked! So much for DEP.

    To summarise, the problems are that Microsoft JScript engine allows some HTML to materialise an AxtiveX scripting object in memory which can then be run automatically, bypassing the normal security mechanisms. Then that script is allowed to create an executable object (also in memory) and transfer control to it. The registry is the least of anyone's problems, we should just be thankful that the initial exploit script can't be run from a web page (or can it?)

    1. Anonymous Coward
      Anonymous Coward

      "Microsoft assume that a Powershell script is safe to run without asking for permission simply because it's supposed to run interactively"

      No they don't. By default Powershell scripts will not run at all unless digitally signed.

  21. Anonymous Coward
    Anonymous Coward

    Oh FFS.

    Facts are this:

    1: the registry IS an INTEGRAL part of windows.

    2. No amount of whining will change that

    3. Dont like Windows, dont use it.

    4. Dont like windows but HAVE to use it? Let your Admin worry about this.

    5.This threat now exposed, will be mitigated.

    6. Life goes on. Learn to accept that.

    If the most pressing issue in your life is that the registry has been show to be able to hide malware (which it now cant, as its been discovered) then you have very dull lives.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019