About Me

Lokesh Kumar

Lokesh Kumar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Image File Execution Options

Tuesday, December 9, 2008 at 2:40pm by Lokesh Kumar
Lokesh Kumar

Malware authors continue to find unique ways to ensure that their malicious code runs at system start-up.

One such method is through this lesser known registry key:

HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

This registry key is intended to specify the name of a debugger, in this case “Olly Debugger,” based on which one can debug an application when it starts.

For example:

To debug notepad.exe when it starts, one simply has to go to this registry key and create a subkey called notepad.exe.

A string value is then created for this subkey, assigned the name “debugger,” and given a value. In the case of Olly debugger, this is what it would look like:

This now ensures that every time the notepad application is invoked, Olly debugger runs instead, which, in turn, opens notepad, enabling it to be debugged.

Here’s the unique aspect about this registry key:

If we replace the debugging application (Olly debugger in this case) with a malicious executable (e.g., trojan.exe), the control will now be redirected to trojan.exe every time notepad.exe is run.

Microsoft intended this registry key to be a useful feature; however, there exists no mechanism whereby Windows can check whether the application to which control is being redirected is, in fact, a rogue application.

I managed to find information on this start-up method, which dates back to 2005. Unfortunately, malware authors are exploiting this very feature to:

1. Start up malicious files, even though the unsuspecting user intends to run another clean application
2. Disable security products, by redirecting the security products’ processes to malicious processes

Tools such as msconfig.exe, intended to check for start-up entries, are underequipped to handle this and do not detect applications that use this redirection technique. Users are advised to use “Autoruns” from Sysinternals instead.

See the screenshot below:

On a related note, the next time you happen to struggle with a severely infected machine with no anti-virus solution or with outdated signatures, you can redirect the malicious process to a clean file using the technique mentioned above.

For example, you can redirect “trojan.exe” to a “clean.exe”. See below:

The next time the malicious process tries to execute itself, the clean file will instead be executed, thus preventing the malicious file from spawning again. As always, remember to back up your registry before doing this.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (7)

  • johnny July 6, 2011 4:52AM

    Thanks for your detail explanation.
    It is so fantastic with screenshot.

    Thanks again.

    Reply
  • Ankur September 26, 2010 12:20AM

    Thanks Lokesh..very well explained…
    @ken most end users run their machine logged in as admin.

    Reply
  • MySpace Comments December 10, 2008 12:25PM

    Thanks for explaining image file execution stuff.

    Reply
  • Tyler December 10, 2008 9:04AM

    Um, Ken/suc – most users run with admin privs. Thats how malware gets a hold in the first place.

    Thanks Lokesh – informative post.

    Reply
  • Bruce December 10, 2008 8:10AM

    Ken – the author never said this was a hole. This is just bringing attention to another technique to autorun something malicious. Malware authors take advantage of it seems like a dozen or more methods to autorun their programs, and many do require admin rights. Malware authors also take advantage of uncountable attack vectors that will get at your users PC’s. And guess what? most shops run with users as admins as do most home users. but more importantly, IT administrators need to know about these techniques so we can intelligently fight new malware ourselves when our AV vendor’s product does not have an update yet.

    Reply
  • suc December 10, 2008 5:21AM

    writing in HKey_Local_Machine requires administrative privileges.

    Reply
  • Ken Hagan December 10, 2008 5:14AM

    This has been in NT since the outset. Yes, it’s intended as a debugging aid, but it is hardly a malware hole. You need admin rights to tweak it.

    Reply