PC Being examined
O/S WinXP+SP2
Browser IE6
Detected trojan Vundo
Has anyone encountered a case where the registry entries for "TypedURLs" were updated remotely via a hijacked browser?
i.e. can the "remote bad guy" remotely manipulate the hijacked browser so that TypedURLs will be updated as if the local user had typed them?
Or are the TypedURLs *only* updated by the user actually entering the URL into the browser URL address window?
Thank you.
PC Being examined
O/S WinXP+SP2
Browser IE6
Detected trojan VundoHas anyone encountered a case where the registry entries for "TypedURLs" were updated remotely via a hijacked browser?
Can't say that I have.
i.e. can the "remote bad guy" remotely manipulate the hijacked browser so that TypedURLs will be updated as if the local user had typed them?
If the bad guy has shell-level access remotely via something like VNC or Terminal Services, sure. Or with remote access, they could conceivably modify the logged on user's entries…
Or are the TypedURLs *only* updated by the user actually entering the URL into the browser URL address window?
Based on testing, that's how they're usually updated. You can try this yourself, by typing in an address, then clicking through to others, and seeing which appear in the MRU list.
HTH
Or are the TypedURLs *only* updated by the user actually entering the URL into the browser URL address window?
'Only' is a pretty strong word – I mean, there's regedit, there's the reg command line utility, and there are Windows system calls for modifying Registry entries. Manipulating the URL address window is probably not the easiest way to go.
Still …
The application cannot see *who* types into an URL address window, only that keyboard events (like 'key A pressed' or 'key A depressed') arrive there. (I'm simplifying a bit here.)
There are applications that allow you to record a number of keyboard and mouse movement and click events, and replay them when you press a key. Those events are not entered by the user except for the first time – they've 'stored' and replayed into the target window/windows by that application. (I've used one called Keyboard Express – Google for their website and check out their trial versions to get an idea of what it does.)
The same method used by these macro recording and replaying programs can be used by other software get hold of a window handle (an input box is a kind of window beneath the surface), and send 'false' window keyboard events to it.
Windows software quality assurance tools also do things like this they pretend they're a user and send fake keyboard and mouse events to an application to give it a thorough testing.
So, it's technically possible, yes. But it is rather complex, and there are almost certainly easier ways of doing much the same thing.
It occurred to me that you could take the TypedUrls key LastWrite time and tie it to other events on the system that occurred around the same time, and get at least an idea of whether the user did this themselves…