My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent ;-) But I’m not French, I’m Flemish!
Great interview! I found it funny that Bret was asking questions that have been asked before, but there are just no answers available.
With malware that looks for certain applications to be run (ie, AV software, firewalls, etc), I wonder if anyone has seen malware that decrypts the values and either collects data, or gleans intel from the contents of the key…
Good job, Didier!
Comment by keydet89 — Monday 23 July 2007 @ 17:39
I’ve also been pondering the malicious and mischievous possibilities of the UserAssist keys, but I don’t know about any malware exploiting these keys. I’ve searched for UserAssist in a couple of virus description databases, but without success.
Comment by Didier Stevens — Monday 23 July 2007 @ 18:10
I was intrigued to hear the process by which you have managed to identify what the elements of data in UserAssist mean (I realise there are more to clarify). I guess it requires a painstaking logical approach to understand exactly what happens, for instance, if a program is removed from the Start Menu. I’ve seen the Gates = 5 comment before and would really like to know the reason behind the count starting at 5 rather than 0. I suspect that we’ll never know the real reason.
Thanks for your explanation and hard work.
Comment by Dave — Monday 23 July 2007 @ 19:08
Yes, starting to count from 5 is strange. When programmers work with a counter and they need some special values that have another meaning than the actual numerical value, in “the olden days”, they would use something like 99. So they would attribute special meaning to the maximum values, not to the minimum values.
This technique caused some interesting bugs in 1999 and 2000 ;-)
Comment by Didier Stevens — Monday 23 July 2007 @ 19:19
The fact that the count field starts at 5 is strange, yes…but the whole issue about ROT-13 ‘encryption’ is even stranger! Why, of all keys, would those particular keys have values that are ROT-13 encrypted?
I have my own tools that get this information from NTUSER.DAT files extracted from forensic images. I use these tools on a regular basis, and have even had cases recently were these tools were the starting point of my investigation. A very interesting capability that I have added to the tools is the ability to sort the entries by their timestamp value, going from most recent and walking backward through time. This functionality has been extremely helpful, particularly in intrusion or UAP violation cases, where the “when” of an activity is as important as the “what”.
Comment by keydet89 — Tuesday 24 July 2007 @ 11:00
[...] CyberSpeak interview – Check out Didier’s interview. My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent But I’m not French, I’m Flemish! [...]
Pingback by www.andrewhay.ca » Suggested Blog Reading - Monday July 23rd, 2007 — Tuesday 24 July 2007 @ 11:52
That is right, shifting a counter is a programmers hack, but using ROT13? You’re clearly sending a message when you do this, but what kind of message?
Comment by Didier Stevens — Tuesday 24 July 2007 @ 18:14
RSS feed for comments on this post. TrackBack URI
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of follow-up comments via email.
Notify me of new posts via email.
The Rubric Theme. Blog at WordPress.com.
Get every new post delivered to your Inbox.
Join 225 other followers