05
Oct
2015

The Windows Registry: Vulnerabilities

So once again, I’ve had problems with Windows. I’m running good old faithful Windows 7 SP1, and whilst I was able to use the OS normally, I couldn’t open CCleaner. Or regedit.

Alarm bells ringing, I rebooted into safe mode as fast as I could. Some sketchy stuff was going on. I used Safe mode with networking to download Malwarebytes AntiMalware (I actually had it already installed, but I downloaded it again to be sure). Then something else happened.

I couldn’t run Malwarebytes. Or regedit. Or CCleaner. In safe mode. At this point, I let out a long sigh. Why, Windows, why do you drive me closer and closer to insanity. I run Linux as my main OS for many reasons, and this just got added to the ever expanding list.

So I was ready to download an ISO and reinstall from scratch. But I wasn’t done yet. Look at the screenshot below:

bs3

See what I have done? I renamed mbam.exe to notav.exe (any other name would have been fine, but I wanted to fool whatever mechanism was preventing me from running the exe). Luckily for me, Malwarebytes fired straight up under the different filename. I updated the database and ran a scan pronto:

bs1

bs2

Malwarebytes, you beauty! It found the offending registry keys and was able to remove them. You can see that ccleaner.exe, mbam.exe and regedit.exe, along with a load of other antivirus programs, are listed here to disallow execution (or shove into the debugger, I’m not sure why there are Debugger lines). It didn’t find anything else, so I don’t think any extra malicious exe’s were ran. I also ran an AVG scan and that came up clean, so I think I got away with something there.

I think I know where this came from. I was messing around with some dodgy files, and I think one of them bit. What really annoys me here though, is that at no point did I allow Administrator rights. I believe the registry changes were made from the user-level, which is pretty awful in terms of security. Now I think back, Malwarebytes no longer ran at startup but I didn’t think much of it. Now I know why.

So to sum up: I have been extremely lucky here. If this kind of manipulation can be done from the user-level, I could not imagine what else could be done. The Windows 7 install I use is just purely for gaming – I do no productive stuff and I don’t keep anything of importance on my Windows drives.

If you find that you can’t run your antivirus software, or CCleaner or regedit – do what I did, get Malwarebytes and rename mbam.exe to something else. It’ll be allowed to run then and clear out this registry crap.

You can avoid this by not being a plonker (like me) and not running slightly dodgy files… but that should be common sense by now. Stay safe everybody!

Reverse Engineering Javascript Email Malware
Ubuntu Linux Insurgency Dedicated Server: Workshop Content Working!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.