Long Registry Keys Can Help Hide Malware

Last week an interesting discovery was made regarding the Windows registry. Apparently long keys cannot be viewed or deleted using the registry editing tool regedit nor by using many other third-party tools designed to detect malware. Registry keys that exceed 254 characters in length are basically invisible unless the tool being used to read the registry is designed to accommodate longer keys.

Igor Franchuk discovered  the problem, which was made public in a bulletin posted by Secunia. The end result is that intruder and propagators of spyware could use the tool vulnerabilities to help hide malware on a system. A complicating factor is that all keys that reside under a long key might also remain invisible even if those subkeys are shorter than 254 characters.

SANS made light of the discovery last week and readers shared insights of their own research of the problem. Current versions of tools such as Spybot Search and Destroy, HiJackThis, Sysinternals Autorun, Regedt32, and others can read the excessively long keys. Other popular tools, such as Microsoft Antispyware beta reportedly cannot read long keys. You can learn more about readers' discoveries in the SANS Handler's Diary entries dated August 24, August 25 , and August 26.

The bottom line is that to ensure nothing has been slipped into the registry you should check the registry using a tool that is known to be able to handle long keys.