Malware authorsÂ continue to find unique ways to ensure that their malicious code runs at system start-up.
One such method is through this lesser known registry key:
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This registry key is intended to specify the name of a debugger, in this case “Olly Debugger,” based on which one can debug an application when it starts.
To debug notepad.exe when it starts, one simply has to go to this registry key and create a subkey called notepad.exe.
A string value is then created for this subkey, assigned the name “debugger,” and given a value. In the case of Olly debugger, this is what it would look like:
This now ensures that every time the notepad application is invoked, Olly debugger runs instead, which, in turn, opens notepad, enabling it to be debugged.
Here’s the unique aspect about this registry key:
If we replace the debugging application (Olly debugger in this case) with a malicious executable (e.g., trojan.exe), the control will now be redirected to trojan.exe every time notepad.exe is run.
Microsoft intended this registry key to be a useful feature; however,Â there exists no mechanism whereby Windows can check whether the application to which control is being redirected is, in fact, a rogue application.
I managed to find information on this start-up method, which dates back to 2005. Unfortunately, malware authors are exploiting this very feature to:
1. Start up malicious files, even though the unsuspecting user intends to run another clean application
2. Disable security products, by redirecting the security products’ processes to malicious processes
Tools such as msconfig.exe, intended to check for start-up entries, are underequipped to handle this and do not detect applications that use this redirection technique. Users are advised to use “Autoruns” from Sysinternals instead.
See the screenshot below:
On a related note, the next time you happen to struggle with a severely infected machine with no anti-virus solution or with outdated signatures, you can redirect the malicious process to a clean file using the technique mentioned above.
For example, you can redirect “trojan.exe” to a “clean.exe”. See below:
The nextÂ timeÂ the malicious process tries to execute itself, the clean file will instead be executed, thus preventing the malicious file from spawning again. As always, remember to back up your registry before doing this.