Malware Persistence Mechanisms - Chrono's Cyber Chronicles

| Title | Author | Created | Published | Tags | | ------------------------------ | ---------------------------- | ----------------- | ----------------- | -------------------------------------------------- | | Malware Persistence Mechanisms | <ul><li>Jon Marien</li></ul> | February 12, 2025 | February 12, 2025 | [[#classes\|#classes]], [[#INFO43921\|#INFO43921]] | ## Three malware persistence mechanisms are: * **Registry Run Keys:** Malware can modify registry keys, such as `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, to execute on system startup or user login. This is a common technique that allows malware to automatically start when the system boots, ensuring that the malicious software remains active. * Clean software also uses RUN entries to autostart, for example, antivirus software. * Malware modifies these RUN entries to persist across system boots. * **Startup Folders:** Malware can place executable files in startup folders, causing them to launch when users log in. * Windows provides certain startup directories for autostarting applications on the system. * Malware copies its files into these folders so that the OS automatically starts the malware on bootup. * The shell directory path can be obtained from the Windows registry from values under keys such as `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`. * Common startup folder locations include: `C:\ProgramData\Microsoft\Windows\StartMenu\Programs\StartUp` and `C:\Users\Username\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Start up`. * **Windows Services:** Malware can register itself as a Windows service, allowing it to run in the background and potentially start automatically at boot. * Services provide an autostart mechanism and resilience against crashes by restarting the service if it exits or crashes. * Malware can register as either an executable service or a DLL service. * The registry keys `HKLM\SYSTEM\Current\ControlSet\Services`, `HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services\Once`, and `HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services` can contain service entries. * Malware often uses the `regsvr32.exe` command, the `sc.exe` command, or Win32 APIs to register a service. * DLL services are often loaded by `svchost.exe`. These persistence mechanisms help malware remain active on a system, even after reboots or user logouts, thus ensuring long-term malicious activity. ****