Prior to Windows 2000, HKCR was just a symbolic link to HKLM\Software\Classes that only administrators could write to. This meant that operations performed on HKCR\.txt actually occur in HKLM\Software\Classes\.txt. Windows 2000 introduced per-user registration data, so now HKCR is a merged view of HKLM\Software\Classes and HKCU\Software\Classes (which the user can write to). If a key exists in the latter, it takes precedence. So now an operation on HKCR\.txt occurs in HKCU\Software\Classes\.txt if that key already exists; if it doesn’t, the operation occurs in HKLM\Software\Classes\.txt as it had in the past.Note that HKCU keys take precedence over HKLM and user has all the rights to modify HKCU\Software\Classes. It is this implementation that now opens up a 'vulnerability' for Malware writer to exploit. Even rogue antivirus "XP Guardian" is exploiting this hole. This support note from Microsoft shows how to exploit this hole.
Most of these Malwares also use the "%Temp%" or even "Temporary Internet Files" folders to park their malicious executable code with total impunity.
Since most computer only serves one user, particularly notebook and netbook, it is pointless to struggle so hard to gain control of the HKLM and protected resources that required elevated privileges. The end result is almost the same - carrying out the dirty deed with total impunity. Anti-Virus program are often of little help.
This problem allowing HKCR to take precedence, even in Vista, allows attackers to exploit this hole in XP, Vista and Windows 7. Even running LUA will not be a good defense against this form of attack and anti-virus is even more ineffective.
No comments:
Post a Comment