Cross referencing Sony rootkit cloaked CLSID WinXP registry keys

Discussion in 'Spyware' started by Pamela Fischer, Nov 21, 2005.

  1. How do mere mortals find the actual "product owner" of scores of cloaked
    CLSID registry keys which the SysInternals rootkit revealer revealed?

    The background on this simple question is lengthy (and in the public record
    already) - essentially, I ran Mark Russinovich's SysInternals rootkit
    decloaker ( http://www.sysinternals.com/utilities/rootkitrevealer.html )
    which found scores of cloaked Windows XP registry keys & files containing a
    universally unique identifier (UUID) in the form of an 8-4-4-4-20 hex class
    id which I still don't now know what to do with.

    Here is just one example cloaked CLSID key I am trying to figure out what
    product line it belongs to.

    - HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
    \InprocServer32* 6/16/2004 9:19 PM 0 bytes Key name contains embedded nulls
    (*)

    To find the product associated with that unique class id, I searched the
    Microsoft CLASSID web site
    http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclas
    sid.mspx
    but I didn't find any lookup table cross referencing these unique 40 hex
    characters to a unique product line.

    What am I missing?
    Does such a cross-reference table actually exist?
    How are we supposed to figure out the product owner of these 40 character
    hex class ids?

    Thank you in advance for your assistance to me and all with this question,
    Pamela Fischer
     
    Pamela Fischer, Nov 21, 2005
    #1
    1. Advertisements

  2. [snip]

    Thank you, Pamela :)
     
    Vrodok the Troll, Nov 21, 2005
    #2
    1. Advertisements

  3. Hi Vrokok,

    I don't understand your idealized comment above.

    Apparently, Pinnacle Studio 9 is using Microsoft ineptware to hide its
    registration keys from the user.

    It's beginning to seem more and more likely this particular cloaked key
    reported by the Sysinternals RootKit Revealer is the result of Microsoft
    ineptware. It seems, that, in the SOFTWARE hive, the InprocServer32 key
    is defined somehow on my system as a 15 character long string where
    Microsoft says it should be only 14 characters long; so not only can you
    not open the key in REGEDIT
    (http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#
    6776) but it also remains hidden from view
    (http://www.sysinternals.com/Information/TipsAndTrivia.html#HiddenKeys).

    All this I only gathered haphazardly after googling for the specific
    CLSID. At the moment, I tentatively conclude this particular rogue
    ImprocServer32 registry entry "might" be related to Pinnacle Studio 9
    hidden registration keys as reported in the Sysinternals blog forum
    articles http://www.sysinternals.com/forum/forum_posts.asp?TID=1955&PN=1
    and http://www.sysinternals.com/Forum/forum_posts.asp?TID=1731&PN=0&TPN=2
    and http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&PN=1 and
    http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#6776

    Also, Ben Fulton, in the UK, seems to have run into this hidden
    registration key http://www.developerfusion.co.uk/forums/topic-28065 and
    its reputed Sony-like ineffective ineptware uninstaller
    http://www.pinnaclesys.com/PublicSite/us/Products/Consumer+Products/Home+
    Video/Studio+Advanced+Video+Solutions/Studio+Plus+version+9
    +Support/Download+Area/Tools/Registry+Cleaner+for+Studio+Products+-
    +RegDelete+version+9_x.htm?mode=documents

    However, all this is very hit or miss (as reported to Mark Russinovich at
    http://www.sysinternals.com/forum/forum_posts.asp?TID=2510&PN=1&TPN=1 ).

    Given the unique explanation of the CLSID key
    (http://msdn.microsoft.com/library/default.asp?url=/library/en-
    us/com/html/4edbbd9d-7ea1-4476-aee7-eaf30e54db8d.asp) why isn't there an
    easy to find cross-reference lookup table?

    How are mere mortals supposed to look up scores of these issues?
    Where is the unique product-to-CLSID cross reference table out there?

    Thanks to experts, in advance, for helping me, and all others,
    Pamela Fischer
     
    Pamela Fischer, Nov 21, 2005
    #3
  4. [snip]

    My initial-comment refered to your posting of all that information. Once again,
    thanx.
     
    Vrodok the Troll, Nov 21, 2005
    #4
  5. Pamela if the Root kit revealer found anything then I would reinstall. On
    this system which doesn't do much on the Net it came up empty. As for the
    answer to your question you could look at the file the CLSID pertains to in
    the registry. Then go to that file and right-click choose Properties and if
    there is a version tab read the copyright holder.
     
    George Hester, Nov 21, 2005
    #5
  6. Pamela Fischer

    David Candy Guest

    CLSIDs are randomly generated by whoever wants one. There is no requirement (or means) to report generation of a clsid to MS. In fact the whole thing is designed to not require a central repositary.
     
    David Candy, Nov 21, 2005
    #6
  7. Thanks. I do post as much detail as I can so the next gal who searches
    for this exploit can start off with much more than I did. The hope is we
    can improve our collective knowledge, bit by bit, in every post!

    Apparently, in this particular case, the makers of Pinnacle Studio 9 (and
    others) have exploited the fact that 15-character "illegal" software
    registration values in the Inprocserver32 key remain cloaked and hidden
    from the user even if the user knows about the existance of the key!

    We even get an error when we try to open the key in WinXP regedit!
    So, we can't even delete the key easily.

    Just as with Sony cloaking ineptware, the makers of Pinnacle Studio 9 are
    appareantly exploiting known Microsoft Windows XP registry weaknesses.

    However, according to the SysInternals web page
    (http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#6776
    ), there is a possible method to remove this particular cloaked registry
    entry.

    1. Make a backup of the WinXP registry with ERUNT (whatever that is).
    2. Open the backed up software file/hive with a hex editor.
    3. Search for the entries {47629D4B-2AD3-4e50-B716-A66C15C63153}.
    4. In the text panel, note the textstring “InprocServer”.
    5. Note the hex value 0F (15) just before that textstring.
    6. Change (edit – Overwrite String) this value in 0E (14).
    7. Change all similar entries found (as many as 12).
    8. Save this “software” file/hive.
    9. Restore the registry & reboot.
    10. Open the registry with regedit.
    11. Now you can finally delete the now-uncloaked entries.
    12. Optionally, run the registry optimizer NTREGOPT.
    13. Reboot and this particular cloaking problem is resolved.

    All this work to resolve just one cloaked CLSID tells me life would be
    easier for all of us if we at least had a lookup table for CLSID to
    product "owners".

    Does this CLSID to OWNER lookup table exist anywhere on the Internet?

    Pamela Fischer
     
    Pamela Fischer, Nov 21, 2005
    #7
  8. Hi George Hester,

    In a sane world, this would be our first logical choice.

    However, the makers of Pinnacle Studio (like the makers of the Sony
    ineptware cloaking) have taken advantage of an exploit of the Microsoft
    Windows XP operating system to disable this simple sane lookup.

    When we navigate to the specified key in regedit, we get an immediate
    error upon clicking on the key. So, even if we know this particular key
    is cloaked (which the SysInternals rootkit revealer correctly revealed),
    we can not view the key or the value of the key.

    Is this cloaking issue getting insane or what?

    By exploiting this registry weakness, simply assigning Inprocserver32 a
    15 character hex number instead of a 14-character hex number,
    automagically cloaked the software registration keys.

    We can't even easily remove them!

    Everywhere we look, we find exploits upon exploits of the Microsoft
    Windows operating systems. This one exploit alone took me hours to find
    out. I have about 19 more to go in my registry.

    Wish me luck (please help where you can as others will certainly follow).

    Pamela Fischer
     
    Pamela Fischer, Nov 21, 2005
    #8
  9. Oh my. I was afraid of that answer.
    Our worst fears are coming to fruition.

    Considering Google failed us on this CLSID-to-Owner search, is there at
    least a common place where we are supposed to go to report suspicious
    CLSID exploit shenanigens such as the one I just found with Pinnacle
    Studio CLSID {47629D4B-2AD3-4E50-B716-A66C15C63153} search?

    For example, if I hadn't gone directly to Mark Russinovich's forum on the
    SysInternals web site forum and searched there, I'd never have made the
    connection of this cloaked exploited registry key to Pinnacle Studio in
    the first place.

    Considering there is no way to even OPEN the key (which, of course, was
    the intent of the malware makers of Pinnacle Studio in using the exploit
    in the first place), what our our options?

    How does this look as a first pass CLSID-to-Owner generator?
    1. Search for the CLSID in google web & google groups
    (e.g., 47629D4B-2AD3-4E50-B716-A66C15C63153 )

    2. Search for the CLSID in www.sysinternals.com forums
    (e.g., http://www.sysinternals.com/Forum )

    3. Attempt to determine CLSID registry entry information
    (note that some cloaked CLSID keys prevent this!)

    4. If you must, work on a hexedited copy of the registry
    (this is the only known working approach to date)

    5. Search for files of the same date on your PC
    (this is how folks found this CLSID to be Pinnacle Studio 9)

    6. ??? any other methods to cross reference CLSID's ???

    Experts are asked to supply other ways of determining who the unique
    owner is of any particular cloaked CLSID so that the rest of us mere
    mortals can determine who is messing with our systems with malware!

    Frustrated & fatigued yet finally learning something fun,
    Pamela Fischer
     
    Pamela Fischer, Nov 21, 2005
    #9
  10. Pamela Fischer

    Peabody Guest

    Pamela Fischer says...
    Pamela, this may be a dumb suggestion, but can you Export
    the keys? If you can export these entries to a file you can
    look at and edit as text, then maybe you can do something
    with it. If you can't click on the entry itself, maybe you
    could click on its parent and export that whole section,
    then fix it in the .reg file, deleted it from the registry,
    and then Import the fixed version back in.

    Well, it was just a thought.
     
    Peabody, Nov 21, 2005
    #10
  11. What makes you think Pinnacle is part of this type of vandalism? I know
    about Sony but I have not heard about Pinnacle. The way you get rid of
    something like that in the registry is saving a piece of the hive wiithout
    that particular key and then importing that hive. Those here know better
    then I do I hope someone can explain how to do it better but that is what
    you will need to do.
     
    George Hester, Nov 22, 2005
    #11
  12. I could not select the InprocServer32 key (due to the exploit
    previously noted preventing any such action) but I could select the key
    above it and export that branch as text:

    File->Export->Save as type->Text files (*.txt)->Selected Branch
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

    The problem was, no matter how many times and ways I tried exporting
    this key, I just got cryllic looking gibberish of the format:
    ÿþK€e€y€ €N€a€m€e€:€ € € € € € € €
    € €
    €H€K€E€Y€_€L€O€C€A€L€_€M€A€C€H€I€N€E€\€S€O€F€T€W€A€R€

    What are we doing wrong?
    Why can't we export as text this key without getting gibberish as a
    result?

    For every action there is an equally confusing reaction,
    Pamela Fischer
     
    pamelafiischer, Nov 22, 2005
    #12
  13. The same software RootKit Revealer from Mark Russinovich's SysInternals
    web site that first found the Sony BMG First 4 Internet deceit also
    listed these Avid Pinnacle Studios key as rootkit cloaked.

    And they *are* cloaked. But why?
    Apparently, for whatever deceitful reason, Avid Pinnacle Studios
    doesn't want you to know what they've done to your registry. But the
    rootkit revealer program noticed the sleight of hand.

    I've been told the following:
    "The kernel uses strings that follow the Pascal convention (first
    character = length).
    All user mode programs that access the registry (e.g., regedit or most
    3rd party tools)
    do so via Win32 API calls. These can only process zero terminated
    strings.
    Trying to open a registry key that does not have a zero terminated
    name will fail.
    The [cloaked] Pinnacle key can not be viewed, modified, or even easily
    removed
    by the typical user due ot the exploitation by Pinnacle Studios of this
    Windows weakness."

    So the simple answer to your question is that the well respected
    SysInternals program is reporting this Pinnacle Studios activity as a
    root kit cloaked key (as far as I can tell).

    The question is now:
    Why is Pinnacle Studios doing this illegal exploit of Windows in the
    first place?
    Pamela Fischer
     
    pamelafiischer, Nov 22, 2005
    #13
  14. Pamela Fischer

    Paul-B Guest

    Silly question, but has anyone actually asked Pinnacle what this is all
    about?
     
    Paul-B, Nov 22, 2005
    #14
  15. If you just want to prove that it's the Pinnacle software program, why not
    take a machine with a clean copy of Windows freshly installed and install
    the Pinnacle Studio 9 onto it?

    FWIW, I find these registry keys causing problems even after doing the
    above and uninstalling the Studio 9 program.

    HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*
    11/22/2005 1:41 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 11/11/2005 1:31 PM
    0 bytes Key name contains embedded nulls (*)

    This is output from RookitRevealer, as you might recognize.

    I'm not sure it's intentional. Probably more likely that it's a result of
    a bug in the installer or something stupid but unintentional like that.
     
    Michael Cecil, Nov 22, 2005
    #15
  16. Look at the key names directly - the nulls will appear as black boxes
    in regedit or regedt32. If the names appear to be numeric with
    leading zeros ... ie. one or more boxes followed by digits, then it is
    most likely a broken installer.

    If that is the case, then you can safely edit the names to be "001",
    "002", etc. - change the black boxes to "0". Everything will still
    work and it will get rid of the warnings.

    If you see something that doesn't look numeric then please report it
    here. Broken installers are a fact of life [unfortunately], but
    companies that hide software are irresponsible and their customers
    need to know about it.

    George
     
    George Neuner, Nov 22, 2005
    #16
  17. Pamela Fischer

    Peabody Guest

    says...
    I think that's just unicode format, which has two bytes for every
    character.

    If you will load that .txt file into Notepad, then Save As, and select
    ASCII, all of that extra stuff should be removed in the newly saved
    file.
     
    Peabody, Nov 23, 2005
    #17
  18. The somewhat spotty evidence at this point seems to indicate it is an
    illegal syntactical use of the Windows XP registry so that Avid
    Pinnacle Studio can "hide" information from the user as explained in
    the SysInternals forum:
    http://www.sysinternals.com/forum/forum_posts.asp?TID=2510&PN=1&TPN=1
    http://www.sysinternals.com/forum/forum_posts.asp?TID=1955&PN=1
    http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&PN=1
    http://www.sysinternals.com/Forum/forum_posts.asp?TID=1731&PN=0&TPN=2
    etc.
    These illegal syntax keys can not be edited, modified, changed, nor
    removed by the user and apparently even the Pinnacle uninstaller cannot
    remove them as far as I can ascertain.

    Pamela

    HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*
     
    pamelafiischer, Nov 23, 2005
    #18
  19. Not I. A developer, perhaps from Pinnacle, did respond and confirm the
    illegal syntax insertion - but we don't know how to remove, modify,
    view, or change the keys yet for a layperson (it can be done by writing
    C code but that is crazy).

    I wish Pinnacle Studio developers would read the syntax rules for
    registry keys before creating illegal keys on purpose just so that they
    won't work normally.

    Pamela
     
    pamelafiischer, Nov 23, 2005
    #19
  20. That unfortunately gave the same output gibberish.

    Exporting the key as a "reg" file worked but put nothing in the key.
    --- < start > ---
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}]

    --- < end > ---

    I'm going to look for a hex editor to see what is inside that file!

    Pamela
     
    pamelafiischer, Nov 23, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.