Hidden-code flaw in Windows renews worries over stealthly malware

Discussion in 'Computer Security' started by Imhotep, Sep 1, 2005.

  1. Imhotep

    Imhotep Guest

    "Last week, the Internet Storm Center, a group of security professionals
    that track threats on the Net, flagged a flaw in how a common Microsoft
    Windows utility and several anti-spyware utilities detect system changes
    made by malicious software. By using long names for registry keys, spyware
    programs could, in a simple way, hide from such utilities yet still force
    the system to run the malicious program every time the compromised computer
    starts up."

    http://www.securityfocus.com/news/11300

    Im
    Imhotep, Sep 1, 2005
    #1
    1. Advertising

  2. Imhotep

    Steve Welsh Guest

    Well, the Windoze Registry has blossomed from an ill-conceived concept
    in Win95 to the sprawling, totally out-of-control nightmare that it now
    is. It is totally beyond redemption, and I would challenge anyone that
    claims to know what every single entry in the Registry is, or does.

    e.g. WTF? {2D18D25D-8E3D-F766-DF01-828AAC3A96F8} etc, etc

    OK this is not code, but I think the quote still applies - Eric Raymond
    "Elegant code is not only correct, but visibly, transparently correct."

    I suppose Jim will disagree ;)

    Imhotep wrote:
    > "Last week, the Internet Storm Center, a group of security professionals
    > that track threats on the Net, flagged a flaw in how a common Microsoft
    > Windows utility and several anti-spyware utilities detect system changes
    > made by malicious software. By using long names for registry keys, spyware
    > programs could, in a simple way, hide from such utilities yet still force
    > the system to run the malicious program every time the compromised computer
    > starts up."
    >
    > http://www.securityfocus.com/news/11300
    >
    > Im
    Steve Welsh, Sep 1, 2005
    #2
    1. Advertising

  3. Imhotep

    Imhotep Guest

    Steve Welsh wrote:

    > Well, the Windoze Registry has blossomed from an ill-conceived concept
    > in Win95 to the sprawling, totally out-of-control nightmare that it now
    > is. It is totally beyond redemption, and I would challenge anyone that
    > claims to know what every single entry in the Registry is, or does.
    >
    > e.g. WTF? {2D18D25D-8E3D-F766-DF01-828AAC3A96F8} etc, etc
    >
    > OK this is not code, but I think the quote still applies - Eric Raymond
    > "Elegant code is not only correct, but visibly, transparently correct."
    >
    > I suppose Jim will disagree ;)
    >
    > Imhotep wrote:
    >> "Last week, the Internet Storm Center, a group of security professionals
    >> that track threats on the Net, flagged a flaw in how a common Microsoft
    >> Windows utility and several anti-spyware utilities detect system changes
    >> made by malicious software. By using long names for registry keys,
    >> spyware programs could, in a simple way, hide from such utilities yet
    >> still force the system to run the malicious program every time the
    >> compromised computer starts up."
    >>
    >> http://www.securityfocus.com/news/11300
    >>
    >> Im


    Yes, I agree with you. The registry was intentionally made overly complex as
    to force companies to become a "Microsoft partner". In doing so, it has
    augmented into a sloppy beast ripe for hackers/crackers.

    I still the the old Linux/Bsd way: A simple configuration file the you can
    edit with any text processor. Clean and simple...

    Imhotep
    Imhotep, Sep 1, 2005
    #3
  4. Imhotep

    Jim Watt Guest

    On Thu, 01 Sep 2005 04:23:15 GMT, Imhotep <> wrote:

    >Steve Welsh wrote:
    >
    >> Well, the Windoze Registry has blossomed from an ill-conceived concept
    >> in Win95 to the sprawling, totally out-of-control nightmare that it now
    >> is. It is totally beyond redemption, and I would challenge anyone that
    >> claims to know what every single entry in the Registry is, or does.
    >>
    >> e.g. WTF? {2D18D25D-8E3D-F766-DF01-828AAC3A96F8} etc, etc
    >>
    >> OK this is not code, but I think the quote still applies - Eric Raymond
    >> "Elegant code is not only correct, but visibly, transparently correct."
    >>
    >> I suppose Jim will disagree ;)
    >>
    >> Imhotep wrote:
    >>> "Last week, the Internet Storm Center, a group of security professionals
    >>> that track threats on the Net, flagged a flaw in how a common Microsoft
    >>> Windows utility and several anti-spyware utilities detect system changes
    >>> made by malicious software. By using long names for registry keys,
    >>> spyware programs could, in a simple way, hide from such utilities yet
    >>> still force the system to run the malicious program every time the
    >>> compromised computer starts up."
    >>>
    >>> http://www.securityfocus.com/news/11300
    >>>
    >>> Im

    >
    >Yes, I agree with you. The registry was intentionally made overly complex as
    >to force companies to become a "Microsoft partner". In doing so, it has
    >augmented into a sloppy beast ripe for hackers/crackers.
    >
    >I still the the old Linux/Bsd way: A simple configuration file the you can
    >edit with any text processor. Clean and simple...


    I agree with you that .ini files had a lot to be said for them
    in terms of saving an individual program's settings in windows
    although the registry is a powerful tool for the machine
    environment.

    But this is yet another bit of MS bashing which is getting tedious.

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 1, 2005
    #4
  5. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <TmvRe.97175$>, Imhotep wrote:

    >Yes, I agree with you. The registry was intentionally made overly complex
    >as to force companies to become a "Microsoft partner". In doing so, it has
    >augmented into a sloppy beast ripe for hackers/crackers.


    It's also one massive single point of failure. If it gets trashed for any
    reason, your box is setting there totally screwed. At least with the Mac
    from that era, if it couldn't boot, it gave you an icon of a sick looking
    computer and asked for a boot floppy.

    >I still the the old Linux/Bsd way: A simple configuration file the you can


    s/Linux\/Bsd/UNIX/

    >edit with any text processor. Clean and simple...


    Simple???

    [compton ~]$ wc -l /etc/sendmail.cf
    1490 /etc/sendmail.cf
    [compton ~]$

    When I started using Linux in 1994, I probably wasted a day or two trying
    to read the stupid boot scripts. Miquel van Smoorenburg started that mess,
    and others took it and ran with it. The guys REALLY knew the nitty-gritties
    of Bourne shell scripting, but they absolutely flaunted it. Eric Raymond's
    quote "Elegant code is not only correct, but visibly, transparently correct."
    was NOT followed. And yes, I do know something about shell scripting, as
    I've been using UNIX since 4.1BSD (and I _still_ hate csh).

    As far as editing with "any text processor", you do have to be aware that
    some "user friendly" editors (pico - the skript kiddiez friend is one
    example) auto-wrap lines longer than 70-odd characters at a word break,
    and that will screw up your day just fine.

    Old guy
    Moe Trin, Sep 1, 2005
    #5
  6. Imhotep

    Shadus Guest

    >>edit with any text processor. Clean and simple...
    >
    > Simple???
    >
    > [compton ~]$ wc -l /etc/sendmail.cf
    > 1490 /etc/sendmail.cf
    > [compton ~]$


    Bah, play fair, that's 90% comments.

    [mail /root]# cat /etc/mail/sendmail.cf | wc -l
    1127
    [mail /root]# cat /etc/mail/sendmail.cf | grep -v # | wc -l
    84
    [mail /root]#

    > example) auto-wrap lines longer than 70-odd characters at a word break,
    > and that will screw up your day just fine.


    and of course when it wraps you can back space and remove the wrapping
    until you edit the line again... or convert to a real editor... like vim
    or emacs or... ed (j/k) ;)

    --
    Shadus
    Shadus, Sep 1, 2005
    #6
  7. Imhotep

    Jim Watt Guest

    On Thu, 01 Sep 2005 15:17:05 -0500, Shadus <> wrote:

    >>>edit with any text processor. Clean and simple...

    >>
    >> Simple???

    convert to a real editor... like vim
    >or emacs or... ed (j/k) ;)


    I gave up on SCO because of editing in vi

    All this cryptic stuff is very fine, but these days now
    storage is cheap its utility is outweighed by the trouble
    in learning it and getting it right.

    My first job was maintaining programs written in machine
    code without any documentation, it taught me that often
    the readable version is better.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 1, 2005
    #7
  8. Imhotep

    Shadus Guest

    On 2005-09-01, Jim Watt <_way> blabbed:
    > I gave up on SCO because of editing in vi

    Lol, vi (vim specifically) is my favorite editor. It's simple,
    powerful, and does everything I could want out of an editor for source
    code, text files, configs, etc. I can use emacs in a pinch, jed, jove,
    pico, nano, whatever. I prefer vi, even use it in windows when I'm
    forced to work there.

    To give up an entire os because you don't like/can't grasp its default
    editor seems... eh nevermind, it speaks for itself.

    > All this cryptic stuff is very fine, but these days now
    > storage is cheap its utility is outweighed by the trouble
    > in learning it and getting it right.

    I don't understand what you think is cryptic, especially since the
    original thread regarded the registery if I remember right. The
    original point if memory serves was that unix config files are much
    simplier than the registry and safer too since a single change in one
    value won't leave your machine in an unbootable state.

    > My first job was maintaining programs written in machine
    > code without any documentation, it taught me that often
    > the readable version is better.

    Which is why all the good commenting in most unix config files is really
    nice... compared to the registry, especially when dealing with 3rd party
    applications and programs which may or may not have a key there that is
    required... shrug, I'll stick to configs.

    --
    Shadus
    Shadus, Sep 2, 2005
    #8
  9. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, Shadus wrote:

    >> Simple???
    >>
    >> [compton ~]$ wc -l /etc/sendmail.cf
    >> 1490 /etc/sendmail.cf
    >> [compton ~]$

    >
    >Bah, play fair, that's 90% comments.


    Yet even sendmail.org doesn't recommend messing with the .cf file, wanting
    you to use the sendmail.mc file - not that it's a whole lot easier to
    understand.

    >and of course when it wraps you can back space and remove the wrapping
    >until you edit the line again...


    man pico and look for the -w option

    >or convert to a real editor... like vim or emacs or... ed (j/k) ;)


    or 'echo' ;-)

    The problem with "real editors" other than "/bin/vi" (which given the
    license problems is often a link to or a subset of a vi clone) is that they
    are often not available when you need them. Yes, you should also have the
    even more "user unfriendly" /bin/ed, and most vi users know enough of the
    commands to get ed to do something useful. :wq!

    Old guy
    Moe Trin, Sep 2, 2005
    #9
  10. Imhotep

    Jim Watt Guest

    On Fri, 02 Sep 2005 10:01:22 -0500, Shadus <> wrote:

    >I don't understand what you think is cryptic,


    [compton ~]$ wc -l /etc/sendmail.cf
    1490 /etc/sendmail.cf
    [compton ~]$

    Explain in English
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 2, 2005
    #10
  11. Imhotep

    Kevin Reiter Guest

    Jim Watt wrote:
    > On Fri, 02 Sep 2005 10:01:22 -0500, Shadus <> wrote:
    >
    >
    >>I don't understand what you think is cryptic,

    >
    >
    > [compton ~]$ wc -l /etc/sendmail.cf
    > 1490 /etc/sendmail.cf
    > [compton ~]$
    >
    > Explain in English


    NAME
    wc -- word, line, character, and byte count

    SYNOPSIS
    wc [-clmw] [file ...]

    DESCRIPTION
    The wc utility displays the number of lines, words, and bytes contained in
    each input file (or standard input, by default) to the standard output. A
    line is defined as a string of characters delimited by a <newline>
    character, and a word is defined as a string of characters delimited by
    white space characters. White space characters are the set of characters
    for which the isspace(3) function returns true. If more than one input
    file is specified, a line of cumulative counts for all the files is
    displayed on a separate line after the output for the last file.

    Looks like there's 1490 lines in your sendmail.cf file, if I read the
    manpage correctly. Sounds pretty simple to me, but then again, it's
    written in English, so I could be wrong..
    Kevin Reiter, Sep 3, 2005
    #11
  12. "Shadus" <> wrote in message
    news:...
    > On 2005-09-01, Jim Watt <_way> blabbed:
    > > I gave up on SCO because of editing in vi

    > Lol, vi (vim specifically) is my favorite editor. It's simple,
    > powerful, and does everything I could want out of an editor for source
    > code, text files, configs, etc. I can use emacs in a pinch, jed, jove,
    > pico, nano, whatever. I prefer vi, even use it in windows when I'm
    > forced to work there.
    >
    > To give up an entire os because you don't like/can't grasp its default
    > editor seems... eh nevermind, it speaks for itself.
    >
    > > All this cryptic stuff is very fine, but these days now
    > > storage is cheap its utility is outweighed by the trouble
    > > in learning it and getting it right.

    > I don't understand what you think is cryptic, especially since the
    > original thread regarded the registery if I remember right. The
    > original point if memory serves was that unix config files are much
    > simplier than the registry and safer too since a single change in one
    > value won't leave your machine in an unbootable state.


    LMAO on that one - VI is a perfectly reasonable line editor (first used 'em
    on Cyber mainframes), but a fairly poor excuse for the FSEs that emerged in
    the 1980s. Heck, EVE showed how to convert a perfectly good VAX line-editor
    into an excellent FSE. More than two decades ago.

    And even modern editors could learn a few tricks from the 300kB or so of
    MultiEdit (1988, DOS 3.01 or higher, if memory serves).

    Anyway - the argument's pointless unless you've ever used CED Pro 2.
    Blitters /rock/, when it comes to editing ;o)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Sep 3, 2005
    #12
  13. Imhotep

    Whoever Guest

    On Sat, 3 Sep 2005, Hairy One Kenobi wrote:

    > "Shadus" <> wrote in message
    > news:...
    >> On 2005-09-01, Jim Watt <_way> blabbed:
    >>> I gave up on SCO because of editing in vi

    >> Lol, vi (vim specifically) is my favorite editor. It's simple,
    >> powerful, and does everything I could want out of an editor for source
    >> code, text files, configs, etc. I can use emacs in a pinch, jed, jove,
    >> pico, nano, whatever. I prefer vi, even use it in windows when I'm
    >> forced to work there.
    >>
    >> To give up an entire os because you don't like/can't grasp its default
    >> editor seems... eh nevermind, it speaks for itself.
    >>
    >>> All this cryptic stuff is very fine, but these days now
    >>> storage is cheap its utility is outweighed by the trouble
    >>> in learning it and getting it right.

    >> I don't understand what you think is cryptic, especially since the
    >> original thread regarded the registery if I remember right. The
    >> original point if memory serves was that unix config files are much
    >> simplier than the registry and safer too since a single change in one
    >> value won't leave your machine in an unbootable state.

    >
    > LMAO on that one - VI is a perfectly reasonable line editor (first used 'em
    > on Cyber mainframes), but a fairly poor excuse for the FSEs that emerged in
    > the 1980s.


    LMAO on that one. "ed" is the line editor, "vi" is the full screen editor.
    vim is an incredibly powerful editor -- if you can learn how to use it.
    Most people don't. And vim with config files is wonderful -- it
    understands the syntax of many file types and highlights the various items
    appropriately. If you are going to edit html files in a text editor, vim
    is probably what you want to use.

    But vi/vim's most powerful attribute is that it is available on just about
    every *nix platform (although, for some strange reason, Gentoo uses pico
    as its default).

    Anyway, back to the original comment about the registry vs. config files:
    yes some config files for *nix applications are complex, however, many are
    quite simple and most contain detailed comments. I don't recall any
    comments in the registry....
    Whoever, Sep 3, 2005
    #13
  14. Imhotep

    Jim Watt Guest

    On Fri, 2 Sep 2005 23:04:30 -0700, Whoever <>
    wrote:

    >Anyway, back to the original comment about the registry vs. config files:
    >yes some config files for *nix applications are complex, however, many are
    >quite simple and most contain detailed comments. I don't recall any
    >comments in the registry....


    After a short flirtation with the registry, I've gone back to using
    ini files for configuration data for things I write.

    I suspect part of the attraction of using the registry is to enforce
    using an install program rather than making the copying of
    software from one machine to another easy.

    Otherwise for some things the registry is a good tool.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 3, 2005
    #14
  15. "Whoever" <> wrote in message
    news:p...
    > On Sat, 3 Sep 2005, Hairy One Kenobi wrote:


    <snip>

    > > LMAO on that one - VI is a perfectly reasonable line editor (first used

    'em
    > > on Cyber mainframes), but a fairly poor excuse for the FSEs that emerged

    in
    > > the 1980s.

    >
    > LMAO on that one. "ed" is the line editor, "vi" is the full screen editor.


    Take a closer look at the command structure... an FSE doesn't require a
    keypress to (say) change a character in the display.

    That makes it - as I said - a poor excuse for an FSE coded in th last
    quarter-century. EVE (an FSE sitting on top of EDT) showed how to do it
    /properly/...

    > Anyway, back to the original comment about the registry vs. config files:
    > yes some config files for *nix applications are complex, however, many are
    > quite simple and most contain detailed comments. I don't recall any
    > comments in the registry....


    Because an end user is supposed to be using the configuration tool, rather
    than low-level editing? In the sixties and seventies, use of multiple config
    files, shotgunned over every device on a system, was the norm. The registry
    concept merged all of this into a single location - older versions of
    Windows were just as guilty as everyone else at peppering your disks with
    hard-to-find, hard-to-backup files.

    Can't see what all the fuss is about.. unless you would care to argue about
    piss-poor use of which sections in the registry bad developers tend to use?
    Requiring admin rights?

    H1K
    Hairy One Kenobi, Sep 3, 2005
    #15
  16. Imhotep

    Imhotep Guest

    Moe Trin wrote:

    > In the Usenet newsgroup alt.computer.security, in article
    > <TmvRe.97175$>, Imhotep wrote:
    >
    >>Yes, I agree with you. The registry was intentionally made overly complex
    >>as to force companies to become a "Microsoft partner". In doing so, it has
    >>augmented into a sloppy beast ripe for hackers/crackers.

    >
    > It's also one massive single point of failure. If it gets trashed for any
    > reason, your box is setting there totally screwed. At least with the Mac
    > from that era, if it couldn't boot, it gave you an icon of a sick looking
    > computer and asked for a boot floppy.
    >
    >>I still the the old Linux/Bsd way: A simple configuration file the you can

    >
    > s/Linux\/Bsd/UNIX/


    :)

    >>edit with any text processor. Clean and simple...

    >
    > Simple???


    At least compared to a registry....
    :)

    > [compton ~]$ wc -l /etc/sendmail.cf
    > 1490 /etc/sendmail.cf
    > [compton ~]$
    >
    > When I started using Linux in 1994, I probably wasted a day or two trying
    > to read the stupid boot scripts. Miquel van Smoorenburg started that mess,
    > and others took it and ran with it. The guys REALLY knew the
    > nitty-gritties of Bourne shell scripting, but they absolutely flaunted it.
    > Eric Raymond's quote "Elegant code is not only correct, but visibly,
    > transparently correct." was NOT followed. And yes, I do know something
    > about shell scripting, as I've been using UNIX since 4.1BSD (and I _still_
    > hate csh).


    What do you prefer? zsh?

    > As far as editing with "any text processor", you do have to be aware that
    > some "user friendly" editors (pico - the skript kiddiez friend is one
    > example) auto-wrap lines longer than 70-odd characters at a word break,
    > and that will screw up your day just fine.


    Ah come on EMACS baby!!! (I bet your a vi guy!)

    Imhotep

    > Old guy
    Imhotep, Sep 3, 2005
    #16
  17. Imhotep

    Imhotep Guest

    Shadus wrote:

    > On 2005-09-01, Jim Watt <_way> blabbed:
    >> I gave up on SCO because of editing in vi

    > Lol, vi (vim specifically) is my favorite editor. It's simple,
    > powerful, and does everything I could want out of an editor for source
    > code, text files, configs, etc. I can use emacs in a pinch, jed, jove,
    > pico, nano, whatever. I prefer vi, even use it in windows when I'm
    > forced to work there.


    Are there no Emacs guys/girls around here????


    > To give up an entire os because you don't like/can't grasp its default
    > editor seems... eh nevermind, it speaks for itself.
    >
    >> All this cryptic stuff is very fine, but these days now
    >> storage is cheap its utility is outweighed by the trouble
    >> in learning it and getting it right.

    > I don't understand what you think is cryptic, especially since the
    > original thread regarded the registery if I remember right. The
    > original point if memory serves was that unix config files are much
    > simplier than the registry and safer too since a single change in one
    > value won't leave your machine in an unbootable state.
    >
    >> My first job was maintaining programs written in machine
    >> code without any documentation, it taught me that often
    >> the readable version is better.

    > Which is why all the good commenting in most unix config files is really
    > nice... compared to the registry, especially when dealing with 3rd party
    > applications and programs which may or may not have a key there that is
    > required... shrug, I'll stick to configs.
    >



    Im
    Imhotep, Sep 3, 2005
    #17
  18. Imhotep

    Imhotep Guest

    Jim Watt wrote:
    <snip>
    > But this is yet another bit of MS bashing which is getting tedious.


    Why is it whenever anyone criticizes MS you always use that lame ass excuse
    about bashing?

    It is a fact, the registry sucks...

    > --
    > Jim Watt
    > http://www.gibnet.com
    Imhotep, Sep 3, 2005
    #18
  19. Imhotep

    Jim Watt Guest

    On Sat, 03 Sep 2005 16:49:23 -0400, Imhotep <>
    wrote:

    >Jim Watt wrote:
    ><snip>
    >> But this is yet another bit of MS bashing which is getting tedious.

    >
    >Why is it whenever anyone criticizes MS you always use that lame ass excuse
    >about bashing?


    Not 'anyone' just those who will critisise anything that MS do and
    anything I might say. Like yourself for example.

    >It is a fact, the registry sucks...


    in your opinion.

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 3, 2005
    #19
  20. "Imhotep" <> wrote in message
    news:...
    > Shadus wrote:


    <snip>

    > Are there no Emacs guys/girls around here????


    Used to be (on the Amiga).

    CED Pro 2 knocked it into a cocked hat.. as did MultiEdit on the PC
    (required MS-DOS 3.02, though, IIRC. A pain on certain machines of the day)

    That said, I stayed clear of buying my own PC until something half decent
    came out (Windows 3.1, rapidly upgraded to a 3.11 hybrid)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Sep 4, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Qm9i?=

    Wireless Network Worries

    =?Utf-8?B?Qm9i?=, Dec 20, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    751
    =?Utf-8?B?bWF2ZXJtaWs5OA==?=
    Jan 1, 2006
  2. MELT

    AGP Worries

    MELT, Jan 2, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    1,089
    jasonr@christech
    Jan 5, 2004
  3. Au79
    Replies:
    0
    Views:
    467
  4. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    812
    Theo Markettos
    Feb 14, 2008
  5. ~misfit~

    Malware and a 'hidden' partition?

    ~misfit~, Dec 30, 2009, in forum: NZ Computing
    Replies:
    25
    Views:
    1,618
    ~misfit~
    Jan 9, 2010
Loading...

Share This Page