Networked computers are vulnerable to malicious computer code attacks, such as worms, viruses and Trojan horses. As used herein, “malicious computer code” is any code that enters a computer without an authorized user's knowledge and/or without an authorized user's consent.
A majority of malicious code today is targeted at computers running the Microsoft Windows® operating system, because of its market prevalence. Therefore, it is important to identify and patch security vulnerabilities in Windows®. One important security vulnerability today is the remote registry access service provided in Windows NT® family of operating systems (Windows® 2000, XP, 2003, etc.).
These versions of Windows® provide a function called RegConnectRegistry, which allows a caller on a source computer to remotely access the registry of a target computer, thus providing open remote access to the registry database on any reachable computer within a network. In order to access a remote registry, the calling process on the source computer must be owned by a user with logon privileges on the target computer. However, where this is the case, knowledge of the IP address of the target computer is all that is needed for remote registry access.
Clearly, this provides an opportunity for malicious code that has managed to infect the source computer to access highly sensitive data in registries of remote computers that the malicious code has not managed to infect. A common ability of computer worms is to be able to generate mass numbers of IP addresses within seconds. If such a worm utilizes its IP address list and attempts to access each target computer's registry remotely, the worm might be able to access many remote registries very quickly.
Once malicious code has accessed a remote registry, it can inflict damage to the target computer at will. The malicious code could, for example, read certain fields in the registry to collect sensitive information about the hardware environment, the software environment, the users of this computer, etc. The malicious code could also collect information about the installed applications, and based on that information, target a customized malicious attack of the remote computer. The malicious code could even be polymorphic, and able to generate different malicious infections based on its own evaluation of the target computer.
The malicious code could also scan different well-known areas in the registry to harvest e-mail addresses to be used for mass mailing of itself from the machine it has maliciously accessed. The worm may read the registry database to enumerate the names of the current existing shares on the target victim machine. After that it can try to access those shares directly. The worm might have enough access rights to access the target share. Otherwise, it can start to apply a brute-force attack to every remote share it was able to identify. This will confuse a local malicious code blocking engine because the worm does not have to issue certain network API calls to enumerate share names within the network.
Malicious code could also modify the “run” entry on the target computer to point to itself, or to custom malicious code that it produced specifically to attack the target computer. Malicious code with remote registry access could even modify registry entries on the target computer to disallow anti-virus programs from running when the computer restarts. The malicious code could also destroy security attributes stored in the registry to violate the integrity of the security data, and modify the system policies stored in the registry to allow or block certain actions.
Because there are so many harmful things that malicious code can do after gaining remote access to the registry database of a remote computer, what is needed are methods, systems and computer readable media for regulating remote registry access. More specifically, remote registry access should be regulatable at both the source computer and the target computer.