Security experts stake out Windows spyware hiding place

Security experts are debating whether a security vulnerability in a Windows tool could offer a hiding place for spyware.

According to a report filed by security researcher Igor Franchuk, the Registry Editor in Windows XP and 2000 suffers from a security vulnerability. Entering an abnormally long string into the Windows registry makes all subsequent entries invisible to the tool.

The reported vulnerability could prevent spyware, keystroke loggers and other malware from being detected by spyware and antivirus tools, Franchuk warned.

"If a registry scanning tool that is looking for malware scans the registry and does not handle the long key properly, it is thus missing a malware infection," Mitchell Ashley, chief technology officer at StillSecure, told vnunet.com.

The Windows registry is a system file within the operating system that, among other things, instructs the software which applications to launch when Windows boots up.

A spokeswoman for Microsoft pointed out that the flaw hides the registry entries only from the Registry Editor, and that Windows offers other ways to look at the registry.

She added that this is not a security vulnerability but a function of the tool that could be abused. Microsoft is reviewing the report to determine whether it affects customers.

Several spyware detection and removal tools use the Registry Editor in their search for malware, and as a result fail to detect entries that are hidden behind a long text string.

Some of the affected products include the Microsoft AntiSpyware Beta, some versions of HijackThis, Norton SystemWorks 2003 Pro and WinDoctor version 7.00.22, according to the SANS Internet Storm Centre.

Other applications, however, are not affected, including StillSecure Safe Access and the free tools Spybot S&D and HiJackThis version 1.99.1 and up.

While the SANS Internet Storm Centre reported that it had seen some malware that possibly used the reported flaw to avoid detection, Microsoft contended that it is not aware of any attacks that exploit the vulnerability.

Dave Cole, product manager at Symantec, described the report as a "red herring".

"We tried exploiting it and came up with nothing, and others have done the same
with no dice," he wrote in an email to vnunet.com.

"While the vulnerability is valid, the ability to exploit it to accomplish any misdeeds is unproven at this point, and presumably unlikely."

But Ashley maintained that his team has coded a software application that creates a long registry key followed by an instruction for applications that Windows should launch at boot-up.

"We have programs that will insert these long keys and show that other programs are unable to detect it," he said.

Security website Secunia rates the vulnerability as "not critical". The risk of users getting infected is low because an attacker needs to have physical access to a system or breach its security before they can exploit the vulnerability.