Description

Malware try to be persistent over the reboots of the infected machines. There are several ways malware can be persistent, and some of these techniques are explained below.

Windows Registry Database

Common startup registry keys

Common startup registry keys include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEx

AppInit_DLLs

Each process that uses user32.dll loads DLL in AppInit_DLLs.

The AppInit_DLLs value is stored in the following Windows registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Winlogon notify

Malware can add a persistence key in the Winlogon events (logon, logoff, startup, shutdown, lock screen):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

svchost DLLS

Malware sometimes hides in svchosts DLL. Each instance of svchost.exe contains a group of services. These groups are located in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

Below is an example:

C:\>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost"

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    HTTPFilter  REG_MULTI_SZ    HTTPFilter\0\0
    LocalService        REG_MULTI_SZ    Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService      REG_MULTI_SZ    DnsCache\0\0
    netsvcs     REG_MULTI_SZ    6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0napagent\0hkmsvc\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0
    DcomLaunch  REG_MULTI_SZ    DcomLaunch\0TermService\0\0
    rpcss       REG_MULTI_SZ    RpcSs\0\0
    eapsvcs     REG_MULTI_SZ    eaphost\0\0
    dot3svc     REG_MULTI_SZ    dot3svc\0\0
    imgsvc      REG_MULTI_SZ    StiSvc\0\0
    termsvcs    REG_MULTI_SZ    TermService\0\0
    bthsvcs     REG_MULTI_SZ    BthServ\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs

Services are located in

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceName

Services

Malware can install as a service to ensure it is automatically started when the machine boots.

Malware can also trojanize a legitimate service (e.g. cisvc.exe, the Indexing Service) to hide malicious content and ensure persistence. This technique is called process replacement.

Trojanized binaries

Malware sometimes hide behind modified copies of legitimate software. Hence, the malware is active each time the modified software is started.

DLL Order Load Hijacking

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments