Image File Execution Options
Tuesday December 9, 2008 at 2:40 pm CST
Posted by Lokesh Kumar
Malware authors continue to find unique ways to ensure that their malicious code runs at system start-up.
One such method is through this lesser known registry key:
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This registry key is intended to specify the name of a debugger, in this case “Olly Debugger,” based on which one can debug an application when it starts.
For example:
To debug notepad.exe when it starts, one simply has to go to this registry key and create a subkey called notepad.exe.
A string value is then created for this subkey, assigned the name “debugger,” and given a value. In the case of Olly debugger, this is what it would look like:
This now ensures that every time the notepad application is invoked, Olly debugger runs instead, which, in turn, opens notepad, enabling it to be debugged.
Here’s the unique aspect about this registry key:
If we replace the debugging application (Olly debugger in this case) with a malicious executable (e.g., trojan.exe), the control will now be redirected to trojan.exe every time notepad.exe is run.
Microsoft intended this registry key to be a useful feature; however, there exists no mechanism whereby Windows can check whether the application to which control is being redirected is, in fact, a rogue application.
I managed to find information on this start-up method, which dates back to 2005. Unfortunately, malware authors are exploiting this very feature to:
1. Start up malicious files, even though the unsuspecting user intends to run another clean application
2. Disable security products, by redirecting the security products’ processes to malicious processes
Tools such as msconfig.exe, intended to check for start-up entries, are underequipped to handle this and do not detect applications that use this redirection technique. Users are advised to use “Autoruns” from Sysinternals instead.
See the screenshot below:
On a related note, the next time you happen to struggle with a severely infected machine with no anti-virus solution or with outdated signatures, you can redirect the malicious process to a clean file using the technique mentioned above.
For example, you can redirect “trojan.exe” to a “clean.exe”. See below:
The next time the malicious process tries to execute itself, the clean file will instead be executed, thus preventing the malicious file from spawning again. As always, remember to back up your registry before doing this.
December 10th, 2008 at 05:14
This has been in NT since the outset. Yes, it’s intended as a debugging aid, but it is hardly a malware hole. You need admin rights to tweak it.
December 10th, 2008 at 05:21
writing in HKey_Local_Machine requires administrative privileges.
December 10th, 2008 at 08:10
Ken – the author never said this was a hole. This is just bringing attention to another technique to autorun something malicious. Malware authors take advantage of it seems like a dozen or more methods to autorun their programs, and many do require admin rights. Malware authors also take advantage of uncountable attack vectors that will get at your users PC’s. And guess what? most shops run with users as admins as do most home users. but more importantly, IT administrators need to know about these techniques so we can intelligently fight new malware ourselves when our AV vendor’s product does not have an update yet.
December 10th, 2008 at 09:04
Um, Ken/suc – most users run with admin privs. Thats how malware gets a hold in the first place.
Thanks Lokesh – informative post.
December 10th, 2008 at 12:25
Thanks for explaining image file execution stuff.