Categories

Hiding in plain sight

Hiding

A lot of programs we install on our computer are automatically run when Windows starts and loads.

While this is not always necessary, there usually is not much harm in this.

But this behavior is also copied by malware writers to pass security checks. Their malicious program try to mimic legitimate programs that you might expect in your Windows startup programs.

Why hide when you can pretend to be something useful?

Copying the art of camouflage from the animal world, malware writers have been trying several methods over the years to hide their registry entries in the open. Sometimes by using (pseudo-)random names and sometimes by using locations that are relatively unknown to the general public. But also by pretending to be, or belong to, legitimate programs.

Arguably there are some 57 ways to make a file get loaded automatically.

The majority of them are  found in the registry. Not all of them apply when Windows loads, some get triggered by other events.

Running Internet Explorer for example loads the Browser Helper Objects.

Some of the most well-known and most used startup locations are the Run keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or HKEY_LOCAL_MACHINE \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Together with entries from the Windows startup folder and other possible registry entries these are listed in the Startup database by research engineer Paul Collins aka Pacman.

This database gives you information about the Name of the startup key, the name of the file that gets started, whether the startup is needed, not necessary or even downright malicious. It also has a column where you can find extra information about the files. This can include a link to the site of the manufacturer or a link to a description of the malware.

Skype

As you can tell from the screenshot (or if you do a search on the site for yourself) there are a few filenames that are very popular to disguise malware. These are typically entries that are very popular (like skype.exe) or entries that look very much like a legitimate windows filename (i.e., svchost.exe).

If you check your own registry or make a log file with the startup information, a file like skype.exe may jump out at you if you have never installed the program. But if you showed that log to someone else, they might not know if you use the program. That is why experienced and trained log readers pay attention to the folder the file is found in.

Default for the legitimate skype.exe is %ProgramFiles%\Skype\Phone where %ProgramFiles% is an environmental variable that points to the Program Files directory, usually C:\Program Files or C:\Program Files (x86).

Any skype.exe located in another folder should be looked at closer. Another important point is the name of the startup. For the legitimate skype.exe (and many fake ones) the name is “Skype”, but there are others, like the malware shown in the example that uses “Skype Update”. That may have been an attempt to make it look less conspicuous if the real Skype is present as well.

If you need to know more about Windows startup programs and especially how to identify them then we recommend you visit Pacman’s Portal  – which is powered by Malwarebytes.

Thank you, Paul Collins, for your input.


  • https://www.facebook.com/tony.kleinkramer Tony Kleinkramer

    A similar site you may be familiar with, which lists not only applications triggered through the Run keys or the Startup folder, but also from many other Registry locations is of course http://www.systemlookup.com/

  • https://www.facebook.com/tony.kleinkramer Tony Kleinkramer

    … but, I might add: congrats to Paul Collins for his excellent List, and for finding a new home and Kudos for Malwarebytes for snapping him up! :)

  • https://www.facebook.com/Paccers Paul Collins

    Thanks Pieter & Tony – much appreciated :)

  • Theodis Butler

    Why don’t malware writers just have the same names as popular programs/system or store themselves in the same locations? I think this would truly be hiding in “plain sight”. I’m sure nobody would miss calc.exe or mspaint.exe.

Subscribe to our YouTube Channel