Data Security: Resource

CLASSIC WAY TO RUN SPYWARE IN WINDOWS

 Search Resources
Hot Words
Key Words
In Field



 By Chris Gudy
Classic Way to Run Spyware in Windows
Fundamentally, automatic starting is a normal functionality of operating system. Each operating system has its mechanisms to support developers or users to arrange automatic starting. Windows operating systems are no exception. As a matter of fact, even before Windows, Microsoft offered automatic starting in its first personal computer operating system DOS. In this legacy operating system, there are two famous autostart files as here.

config.sys: It is used to load driver at computer boot.


autoexec.bat: It is used to call exe file, com file, and bat file after config.sys is processed.


When the first Windows operating system appeared, it brought a new starting mechanism: ini file. Next, registry came, and it became more and more strong. Naturally, registry is the home of all saved information that is written by either system programs or user programs, starting information is only a part of it. Because Microsoft hopes that its all operating systems are able to be compatible with previous versions, this commercial requirement leads that new operating systems have to inherit those legacy mechanisms of startup. This is also an important reason why there are more and more starting ways in operating system of today. Some are developed to meet with new features of new operation system, and some are just to offer compatibility for previous software.

In fact, these starting mechanisms birthing in different time and different technology environment certainly confuse users and developers as well as Microsoft itself. Despite that Microsoft declared several times about getting rid of obsolete mechanism and it indeed gives up some old ways, for example, it does not support config.sys and autoexec.bat again since Windows ME, but up to now many of them are actually processed during boot. As you guess, the old starting ways that Microsoft declares to throw off, no longer appears in documents of new operating systems, but are actually implemented in new operating system are ideal candidates for spyware, especially those that are mentioned or used occasionally.

Since Windows 98, Microsoft begins to supply with a utility for system configuration, namely MSConfig.exe. It gives a convenient interface for management of automatic starting while Windows boots. This file is placed in Windows installation folder. Most users get knowledge about automatic starting from the utility. However, it cannot manage all starting methods, including some formal methods. For example, it does not show the content of the sub-keys RunOnce, RunOnceEx, RunOnce\Setup, and RunServicesOnce that all cause an automatic starting. Developers of spyware research this program not for employing it to start spyware, but for discovering what methods are popularly known and what ways are behind the view of common users. Obviously, in all formal ways, to choose those out control of usual tools is a wiser decision.

At last, it must be admitted that some starting methods are easy to understand, set, and cancel, whereas some are on the opposition. Common software might choose the simplest ways to get its destination, conversely spyware never do so. Spyware generally do not concern consume of resource, because complicated technology, structure, and relationship will be definitely helpful to block others to analyze. So, in spyware, it is a particular feature to choose methods of automatic starting as complex as possible.

Summary of Legacy Auto-start Files

In contrast with registry and startup folders, autostart files is absolutely a legacy method. Most programmers might throw it away for many years. Theoretically, programmers working on Windows 2K/XP have little chance to encounter autostart files. And from the Windows ME, the early autostart files, such as config.sys and autoexec.bat, are no longer supported. But, unfortunately, in the world of spyware, autostart file is researched and exploited up to new. Unless autostart file is abandoned at all Windows platforms, you always can see its track in spyware. We examine autostart files as following.

Win.ini file: This is the system file used to start programs under the older Windows 3.x systems. It has been included for compatibility with Windows 3.x. Windows 2K/XP do not use it again, but they still support it. In fact, this file contains information about initializing the operating system. The content about automatic starting is in section [windows]. Spyware can employ it in two ways. The first is to execute a program referred to in the file like: Run=[file name] and Load=[file name]. The second is to associate some suffix, for example doc, with a spyware that would run every time a file with such a suffix is executed. Basically, items in this section are grouped into two categories. The [Load] category starts programs before user logins, whereas the [Run] category starts programs after user logins.


Because, this is a legacy file from early 16-bit Windows, the file name assigned to Run or Load has many limitations. By default, it is an empty string. If it is not an empty string, it must contain no blanks. Notice that composing of full file name in quotes is not admissible. In these values, several file names can be enumerated by comma. Usually they are used for drivers loading, but spyware also employs it occasionally. As we discussed before, in Windows operating systems after Windows NT, the content of this file are mapped into sub-key Software\Microsoft\Windows NT\CurrentVersion\Windows.

System.ini file: This file contains settings for hardware of system. Up to Windows 98, it supported the [shell=] command in [boot] section, which is used to specify a user shell to launch at system boot time. Its default value is Explorer.exe. As you guess, assigning the parameter with a new program will hack the machine. If developers use own file to substitute the Explorer.exe in this shell command, their file will definitely be activated. Usually after you do what you want to do, you should transfer the control to real Explorer.exe as soon as possible. Otherwise, this hacking will be discovered quickly. On recent Windows operation systems, such as 2K/XP, the shell command is ignored, though they still support System.ini.


Autoexec.bat: This file is relevant only on operating system before Windows 98. For backward compatibility, it supports launching programs by simply including a line that refers to the program file. If it is present, it will typically be located in root folder.


Winstart.bat: This file is normally used to start old DOS program in Windows environment. It is only in Windows 98 or previous versions. Spyware can include a line with the syntax @[program name] to run an executable. If it is present, it will typically be located in root folder.


Wininit.ini: This file is created with Setup programs when new software is installed and some action is required by the system to complete the installation after reboot. For example, when you install a new hardware driver, your install program might make you reboot the system. In order to continue after rebooting, you should write an entry in wininit.ini before shutdown. As the system is rebooting, this entry in wininit.ini will run some program during the boot process. In some cases, spyware might employ it. The file is effective on both Windows 95/98/ME and Windows 2K/XP.


Config.sys: This file is relevant only on operating systems before Windows 98.The later ones ignore it. This file loads low-level DOS-based drivers, and is not included on some Windows. If it is present, this file is usually located in root folder.


Undoubtedly, autostart files as a kind of method to start automatically will become less and less useful in future spyware. In new Windows operating system, there is no more new autostart file to be added. As far as the existing files, Microsoft is trying to get rid off them from new systems. Even those that are saved are becoming less attractive than before, because they are not mysterious as in pervious. Nevertheless, spyware of today still exploits autostart files occasionally.