In a recent blog, I mentioned that Office documents were a great place to hide malware in order to maximize its chances of distribution. This time I want to draw attention to the fact that the Windows Registry is also another handy reference tool for some Trojans, too.
A Trojan will usually drop another copy of itself or a components as part of the installation process to try and throw users off track. So, typically a Trojan would run and as part of its installation process, it would drop a copy of itself using another filename in, say, the Windows System folder and modify the registry to run itself at every restart of the computer.
The goal of any effective profit-making malware is to get installed and run undetected for as long as possible to try and maximize the profit-making window. Many angles of attack and stealth have been explored by malware authors over the years. Some are high tech, as we see with rootkits. Some are low tech, such as in disguising themselves as commonly used applications. In an interesting twist, we have seen another low tech (but effective) camouflage technique used by a recently discovered Trojan called Trojan.Zonebac.
This Trojan will scan the registry RUN keys during its installation process in order to find out what other applications are already set up to run on the computer. Then it thoughtfully (!) makes a back up of the file referenced by the chosen registry key. After making the backup, it proceeds to replace the original with a copy of itself, keeping the same file name. The next time you restart your computer, the Trojan will be started and then it will also run the program that it had backed up so that you don’t notice any change in system behaviour.
This can help it avoid detection because users will not notice anything particularly strange unless they dig deeper into their file system, and they are unlikely to do that because everything appears to be working as normal.
In any case if anybody did check the registry, they will find that nothing has changed and the application files appear to be still there. I like to think of this technique as a poor man’s rootkit, it hides the changes and files from the users, but doesn’t require any special advanced programming techniques to be employed.