Bangeter 03-persistence_techniques_v40.pdf

Perisitence mechanisms allow malware to survive a reboat.

The goal of persistence is to launch malware during boot, logon, etc...

Binary patching used to be called "virus"

Trojanized system binaries: add malicious code to executables or DLLs that are part of the OS, and which thus get loaded on system startup.

MBR patching: allows malware to start very early in the boot process, before anu security mechanism get loaded. (master boot record is modified to load malware) [new secure boot mechanisms allow BIOS to verify signature of boot loader]

• check hash of flies on system against DB of known good binaries
• Check signature of files

Sigcheck form sys internals is a tool to perform signature checks can also be used to perfome a Virustotal lookup for unknown files.

These can be modified.

• Logon items for users (e.g. Dropbox, Skype...)
• Services
• Scheduled tasks

hivelist: locates the virtual addresses of registry hives in memory and the full paths to the corresponding hive on disk.

• Autostart / malware persistence
• Data stored by malware in registry
• Partial information on programs executed and the files accessed
• Encrypted / obfuscated malware payloads

Aditional infromation

• user related information
• Hardware configs
• Credentials / passwords

Autoruns: this is a tool for inspecting autostart mechanisms on a live system

• Autoruns is a kind of refernce of Windows autostart mechanisms
• Unfortunately, autoruns does not work on memory images

printkey -K "key"

Displayes the subkeys, values, data and data types contained within a specified registry key.