Debuggered

0 SophosLabs
by

In the recent article, Delete files that don’t exist, Stephen described a malware using the registry to delete a certain file upon launching. The same registry key is used in another way now. By adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<command to hijack>

with value name of “Debugger” and Value containing the path to a handler, malware can disable applications or launch itself whenever the user attempts to launch the hijacked application. Below is a demonstration.

Modifying the registry with registry editor
Modifying the registry with registry editor

I have added a new registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

and added the value Debugger to point to Notepad.exe

Upon modification, each time i run cmd.exe, notepad.exe will open and load the binary cmd.exe.

Loading cmd.exe binary with Notepad.exe
Loading cmd.exe binary with Notepad.exe

Yet another way to exploit the poor registry.

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.