Reversal of fortune: Sirefef’s registry illusion

​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.

But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.

When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.

Google update service registry entries

The update service shows up in the list of services as follows:

list of services

Looking at the properties gives you the details of the service, including the location of the file and description.

location of the file and description

In the case of Sirefef, the registry entry appears to be the same as the one for Chrome:

Sirefef registry entry

There appears to be two “gupdate” registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:

two identical entries in the services list

The real service is marked in the image above. Looking at the properties of the Sirefef service, you can see the difference to the real service.

Sirefef service properties

Of course the illusion breaks down if the Sirefef registry entry is viewed without Unicode support:

Sirefef entry without Unicode support

The image below is the Unicode string including the RLO character used by Sirefef:

Unicode string with RLO character used by Sirefef

This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not.
It may make it difficult for someone doing a cursory check to determine if they are infected.
As always, make sure you have up-to-date antimalware software and install the latest Windows updates. 
Raymond Roberts


Comments (5)

  1. Anonymous says:

    The sample was replicated on an older version of Windows where Regedit did not have Unicode support.

  2. John says:

    How were you able to view the registry without Unicode support?

  3. Shannon Wheeler says:

    Any idea how to reset the permissions on the 'Parameters' subkey to allow deleting it?

  4. Liviu says:

    @Shannon, issue with 'Parameters' seems to be about embedded NULs rather than permissions.  What worked for me was to run RegDelNull on the parent key, see

Skip to main content