Null Keys

changkra

This one has been doing my head in now since September. Anyway to cut a very long story short can anyone tell me if viruses and trojan can be hidden in Null Keys.

Many thanks

espresso

Go on, what are Null Keys?

System

I know what null keys are in relation to databases but don't think that the OP is talking about these

espresso

Surely having good protection is the real key.

nickmack

!!!!!! wrote: »

I know what null keys are in relation to databases but don't think that the OP is talking about these

I think the OP is referring to Windows Registry 'Null Keys'.

OP - Is that correct? What exactly have you heard?

CHR15

So much for cutting a long story short!!

changkra

nickmack wrote: »

I think the OP is referring to Windows Registry 'Null Keys'.

OP - Is that correct? What exactly have you heard?

Yes you are correct. Sorry I didn't add more info I didn't want to bore anyone. Basically what has happened is EA games have changed their anti piracy software from Safedisk to Sony DADC SecuRom. Now there are loads of people threatening to sue EA over this because they say it has stuffed up their virus checkers and kicked the firewall out completely. They are also saying it is a security threat and leaves these null keys in the registry which is where viruses and trojan can be hidden. To be honest there is a hell of allot of miss information being said. SecuRom does not stuff your PC up but they insist it does due to reading information on the web which is at least 2 years a out of date.

If i've not explained it very well i apologise, any more info can be found at

https://www.thesims2.com on the SecuRom thread on the BBS.

changkra

CHR15 wrote: »

So much for cutting a long story short!!

Sorry for cutting it short I just felt posters would actually have better things to do that read a sorry tale of woe on anti piracy.

Alfie_E

I saw this just after you’d posted. It’s such a complex subject, I thought that “Yes, you can put anything you want into the registry. Is this about SecuROM?” wouldn’t be too helpful. So, here’s a more full answer.

Yes, you can store anything you like in the registry. So that could be some, or indeed most, of the data associated with a virus or other malware. However, you can’t place code in the registry and expect it be executed by Windows. You would need your own code elsewhere, to extract the data and use it.

Equally, null keys don’t necessarily indicate the presence of malware. Null keys come about due to the way Windows NT, including XP and Vista, are built. Windows NT was built to replace the old DOS-based Windows. Windows NT was a clean start. The lowest level gubbins were written as a more generic base on which the rest of the system could be built. Then, to make it look like Windows, so it could run the programs that people already had, they slapped a layer over the top to make it look like Windows. The article Inside Native Applications has more explanation.

To be as generic as possible, this base layer can handle null characters in strings of characters. All characters are stored as numbers. The null character is the one that is stored as the number zero. Unix-like systems are quite happy to accept most characters in most places; you could stick a null character in a filename, for example. The Windows layer doesn’t work like that. It treats the null character as representing the end of a string of characters. Windows programs are unable to give the key name needed to access a key with a null in it. For this reason they can’t be accessed or removed. There’s more on null keys at Hidden Registry Keys.

It’s this discrepancy between what the Windows world sees and what is truly there that causes the issue. Rootkits are programs that attempt to hide their presence. So, they are there, but don’t show up easily from within Windows. They are deliberate attempts at concealment, and usually involve changing the way Windows behaves. See Hide’n’Seek? Anatomy of Stealth Malware. The null-key issue is a Windows quirk, it’s there by design and using it doesn’t make software a rootkit. However, it will create a discrepancy. This is why a SecuROM key is picked up by RootkitRevealer.

Why does SecuROM do this? It was an ill-conceived attempt to reduce support costs. If you remove all your SecuROM registry keys, you lose all your SecuROM licenses. If you have ever used Windows Media Player with DRM protected content, the license information will be stored in files in a folder like “C:\Documents and Settings\All Users\DRM”. SecuROM does store vital information in files, but also some of it in the registry. Rather than just put in a value with the name “!CAUTION! NEVER DELETE OR CHANGE ANY KEY”, they put in one called “!CAUTION! NEVER DELETE OR CHANGE ANY KEY*”, where * represents the null character. So now, not only can you see using a registry editor that you should not delete the key, the registry editor won’t be able to delete it anyway.

SecuROM does a similar trick with its files. It embeds strange characters in their names, so they’re impossible to delete using Windows Explorer. Windows Media Player’s DRM files are protected only by having them set to hidden. Set Windows Explorer to show hidden file, and you can delete all your Media Player licenses, either deliberately or by accident.

All in all, this was a stupid idea by Sony DADC. SecuROM is not a rootkit, but they’ve gone out of their way to make it look like one. What makes it worse is that Sony have already been in legal trouble for producing something that truly is a rootkit; it conceals itself by modifying the behaviour of Windows. See Sony BMG CD copy prevention scandal. Threats to sue may come out a judgement in an American court that prohibits Sony from doing anything similar in future. People have argued Sony have violated this judgement.

The waste matter really hit the rotating air-moving device with BioShock. This managed to combine the rootkit controversy with a ludicrously restrictive and clandestine licensing system. If you have plenty of time, you might want to look at the epic thread Please take all SecuROM and activation issues here! Thank You, on the 2K Forum.

changkra

Thank you so much for your amazing post, I am certainly now wise Oh, and yes it is due to SecuRom.