Reversal of fortune: Sirefef’s registry illusion
I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.
But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.
When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.
The update service shows up in the list of services as follows:
Looking at the properties gives you the details of the service, including the location of the file and description.
In the case of Sirefef, the registry entry appears to be the same as the one for Chrome:
There appears to be two "gupdate" registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:
The real service is marked in the image above. Looking at the properties of the Sirefef service, you can see the difference to the real service.
Of course the illusion breaks down if the Sirefef registry entry is viewed without Unicode support:
The image below is the Unicode string including the RLO character used by Sirefef:
This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not.
It may make it difficult for someone doing a cursory check to determine if they are infected.
As always, make sure you have up-to-date antimalware software and install the latest Windows updates.