rootkits

I just used RootkitRevealer and it found 2 paths that contained "Keyname
contains embedded nuls (*)". Both are HKLM\SOFTWARE\Classes\CLSID\{numbers}
keys.

Should I be worried? do something?

Thanks.

Jeff

Mark
Sat Sep 02 22:05:50 CDT 2006

Delete them.

Explenation:

A word, sentance etc in a computer is made up of a set of bytes one after
eachother, in almost all windows programming systems the way of telling how
long a string is involves looking for a character with value 0, the nul
byte. This indicates the end of a string (a string being a word, letter,
line of text etc).

When you copy a string, usually you only copy up to the nul, a string copy,
for example if you were to copy the text "{12381-2132-12231-1221}" blah
blah, you get the idea at the end of the quotes is a nul character, so you
could quite easily copy that visible text.

Some application interfaces give a way of specifiy a length of a string,
including the registry methods, so it will not stop copying the string when
it reaches the nul, it will keep on going past it...

Not a problem you say? well, there is...

In almost every single program not explicitly looking for this kind of hack,
the string will only be read up to the nul, and therefore when you look at
it in something like reg edit, reg edit will only show you the letters up to
the nul - everything after is hidden because to the text writing API its
'off the end'.

This means that 2 things that look identical actually arnt, and can be used
to hide nasty things.

--
- Mark Randall
http://www.temporal-solutions.co.uk
http://www.awportals.com

"Jeff" <jeff@naol.com> wrote in message
news:ehofU1rzGHA.996@TK2MSFTNGP03.phx.gbl...
>I just used RootkitRevealer and it found 2 paths that contained "Keyname
>contains embedded nuls (*)". Both are
>HKLM\SOFTWARE\Classes\CLSID\{numbers} keys.
>
> Should I be worried? do something?
>
> Thanks.
>
> Jeff
>

siljaline
Sat Sep 02 22:41:08 CDT 2006

"Jeff" wrote:
>I just used RootkitRevealer and it found 2 paths that contained "Keyname contains
>embedded nuls (*)". Both are HKLM\SOFTWARE\Classes\CLSID\{numbers} keys.
>
> Should I be worried? do something?
>
Contact Mark via his Blog for additional assistance.
http://www.sysinternals.com/Blog/

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address is invalid that we may all benefit.

Roger
Sun Sep 03 00:00:56 CDT 2006

"siljaline" <siljaline@nospam.com> wrote in message
news:u%23%23WzqwzGHA.3568@TK2MSFTNGP03.phx.gbl...
> "Jeff" wrote:
>>I just used RootkitRevealer and it found 2 paths that contained "Keyname
>>contains embedded nuls (*)". Both are
>>HKLM\SOFTWARE\Classes\CLSID\{numbers} keys.
>>
>> Should I be worried? do something?
>>
> Contact Mark via his Blog for additional assistance.
> http://www.sysinternals.com/Blog/
>

Does he actually have time for that any longer now that he is with MSFT ??

--
ra

siljaline
Sun Sep 03 00:28:59 CDT 2006

"Roger Abell [MVP]" wrote:
> Does he actually have time for that any longer now that he is with MSFT ??

Roger,

I would hope Mark is reading his Blog entries for now.
Perhaps later he will create and post another?

Good luck to Mark @ MS!

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address is invalid that we may all benefit.

Roger
Sun Sep 03 03:51:51 CDT 2006

Such reg entries are not normal, and can be less than
the worse case one might imagine.
Can you see what accesses them, like with regmon? or
does the component class info give any hints about them?

"Jeff" <jeff@naol.com> wrote in message
news:ehofU1rzGHA.996@TK2MSFTNGP03.phx.gbl...
>I just used RootkitRevealer and it found 2 paths that contained "Keyname
>contains embedded nuls (*)". Both are
>HKLM\SOFTWARE\Classes\CLSID\{numbers} keys.
>
> Should I be worried? do something?
>
> Thanks.
>
> Jeff
>

karl
Sun Sep 03 07:56:51 CDT 2006


"Jeff" <jeff@naol.com> wrote in message
news:ehofU1rzGHA.996@TK2MSFTNGP03.phx.gbl...
>I just used RootkitRevealer and it found 2 paths that contained "Keyname
>contains embedded nuls (*)". Both are
>HKLM\SOFTWARE\Classes\CLSID\{numbers} keys.
>
> Should I be worried? do something?

No. Those keys are not used to launch programs at boot up. What is
happening is that Rootkit Revealer is using two different methods of
enumerating the Windows registry looking for apparent differences between
the two, and one way of enumerating the registry has trouble with nuls,
making the two views look different.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info

karl
Sun Sep 03 08:00:46 CDT 2006


"Mark Randall" <markyr@gEEEEEmail.com> wrote in message
news:Oo5I$XwzGHA.4932@TK2MSFTNGP02.phx.gbl...
> Delete them.

Are you sure these values aren't legitimate and possibly important?

Maybe the original poster could post the exact names and values of these
registry values.

> This means that 2 things that look identical actually arnt, and can be
> used to hide nasty things.

But given that this was only found in the CLSID section of the registry,
does it seem likely that something is being hidden?

Mark
Sun Sep 03 08:09:46 CDT 2006

"karl levinson, mvp" <levinson_k@securityadmin.info> wrote:
> But given that this was only found in the CLSID section of the registry,
> does it seem likely that something is being hidden?

This is what I suspect, theres certainally no reason to have nul's in the
CLSID hives (or practically anywhere, for that matter).

--
- Mark Randall
http://www.temporal-solutions.co.uk
http://www.awportals.com

Zoned
Sun Sep 03 17:47:22 CDT 2006

Try other anti rootkit programs.

Find a list at http://www.antirootkit.com/software/index.htm

Good luck,

Z