Scribd
Upload
184 views53 pages

Malware Persistence Techniques Explained

This document discusses techniques that malware uses for persistence on Windows systems. It describes legitimate Windows persistence mechanisms like registry keys and startup folders. It also covers more advanced techniques malware uses to hide persistence artifacts, such as storing malicious files in alternate data streams, special folders, or the Windows registry to avoid detection. The document advises monitoring registry changes and startup items to hunt for malware persistence.

Uploaded by

Saluu TvT
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
184 views53 pages

Malware Persistence Techniques Explained

This document discusses techniques that malware uses for persistence on Windows systems. It describes legitimate Windows persistence mechanisms like registry keys and startup folders. It also covers more advanced techniques malware uses to hide persistence artifacts, such as storing malicious files in alternate data streams, special folders, or the Windows registry to avoid detection. The document advises monitoring registry changes and startup items to hunt for malware persistence.

Uploaded by

Saluu TvT
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Module 2

Typical goals of malware and their


implementations

[Link]
Persistence
Basics of Persistence
• WHO?
• Most of the malware needs it (except some ransomware)
• WHY?
• To start the application after each reboot
• HOW?
• Using legitimate persistence methods
• Using custom, creative methods....
Basics of Persistence

Windows offers various legitimate persistence ways – let’s recall them...


Basics of Persistence
• Registry keys, i.e.:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• The most commonly used technique (also by malware)...

[Link]
Basics of Persistence:
Startup link
• %APPDATA%\Microsoft\Windows\Start
Menu\Programs\Startup
Basics of Persistence:
Scheduled task
• Task scheduler view

•Task scheduler view:


Basics of Persistence:
System Services

UAC
Bypass
required
Basics of Persistence:
System Services
• Administrator rights required
• Creating a service:

UAC
Bypass
sc create <service_name> binPath= <service_path> required
DisplayName= <service_display_name> start= auto
Basics of Persistence:
System Services
• Related registry keys:
• HKLM\SYSTEM\ControlSet001\services\<service name>
• HKLM\SYSTEM\ControlSet002\services\<service name>
• HKLM\SYSTEM\CurrentControlSet\services\<service name>
UAC
Bypass
required
Basics of Persistence:
System Services
• Regedit view:

UAC
Bypass
required
Hunting for malware
persistence artifacts
SysIntenals’ Autoruns

[Link]
RegShot
• RegShot allows for monitoring changes in the Windows Registry

[Link]
Hiding Persistence
Hiding Persistence - ideas
• Typical methods, but with extra measures to cover/protect
• Abuse of other mechanisms of the system for automated injection, i.e.:
• AppInit_DLL, COM Hijacking, Shims, MS Application Verifier Provider
("DoubleAgent” technique), etc
• User-triggered persistence – hide in other elements, that are likely to be
clicked/deployed by a user
Typical methods + extra
measures
• Last minute persistance (i.e. Dridex v. 3)
• Make sample inaccessible: ADS, special folders (i.e. Diamond Fox)
• Hide in the plain sight:
• behind legitimate applications: Korplug
• hide the executable in the windows registry - „fileless” malware
• use scripts to load malicious modules – often Powershell
Last minute persistence
1. Inject and delete yourself -> no malicious PE on the disk
2. Set callbacks on messages:
• WM_QUERYENDSESSION, WM_ENDSESSION :
to detect when the system is going to shut down
3. On shutdown event detected: write yourself on the disk and the Run key for
the persistence
4. On system startup: delete the Run key, go to 1.

[Link]
Make file inaccessible –
special folders
• Example: Diamond Fox

Normal persistence key

lpt8.{20D04FE0-3AEA-1069-A2D8-08002B30309D With a special directory


name

[Link]
Make file inaccessible –
special folders
• Restricted names – starting from:
CON, PRN, NUL, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6,
LPT7, LPT8, LPT9, COM1, COM2, COM3, COM5, COM6,
COM7, COM8, COM9

[Link]
Make file inaccessible –
special folders
• Special CLSIDs:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
Administrative Tools.{D20EA4E1-3957-11d2-A40B-0C5020524153}
All Tasks.{ED7BA470-8E54-465E-825C-99712043E01C}
History.{ff393560-c2a7-11cf-bff4-444553540000}

Clicking on folder triggers


different action
-> no access to the
content

[Link]
Make file inaccessible –
special folders
• Benefits from using special folders:
• User cannot access the content – special CLSID triggers event
other than opening the folder
• Cannot be removed/renamed in a typical way – restricted name
prevents operating on the folder
Restricted name + special
CLSID
lpt8.{20D04FE0-3AEA-1069-A2D8-08002B30309D

[Link]
Make file invisible – ADS
• ADS - Alternate Data Streams
• A feature of NTFS file system
• Implemented, but practicaly not used by Windows...
• Only the main stream of the file is listed/accessible in a typical way
• Format:
One file can have many
alternative datasteams
<[Link]>:<alternate_stream_name>

[Link]
Make file invisible – ADS
Make file invisible – ADS
• Get a [Link]: [Link]
• Copy the DLL into ADS of some file, i.e.:
type [Link] > [Link]:demo

• Deploy the DLL from the alternate stream (DllMain):


[Link] /s [Link]:demo

• Deploy a specific function (i.e. Test1) from the DLL:


[Link] [Link]:demo,Test1
Make file invisible – ADS
• Result:
Make registry keys inaccessible

• NULL character at the beginning of the key


• Example: Kovter
\0c:\\users\\tester\\appdata\\local\\bcd7\\[Link] Malformed key:
Regedit cannot display it

Still can be viewed by


Autoruns....

[Link]
Make registry keys harder to spot

• By default, Autoruns hides keys leading to Microsoft apps


• Example: Moker trojan
By default, Autoruns
shows only two keys...

...but there are more

[Link]
Make registry keys harder to spot

• Example: Moker trojan The malware is deployed


by a Microsoft application:
Rundll32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@="[Link] [Link],ShellExec_RunDLL \"C:\\ProgramData\\<malware>.exe\""

[Link]
Hide behind legitimate
applications (DLL abuse)
• Korplug (PlugX) - spyware
• Uses vulnerable, digitally signed, legitimate application (old AV products)
• Exploits DLL side loading (DLL is a decoder)
• The real malware is decrypted in memory -> no malicious PE file on the
disk -> hard to detect!

[Link]
Hide behind legitimate
applications (script)
• Terdot Zbot (Zeus-based banking trojan):

C:\AppData\Roaming\Haxyka\[Link] [Link]
Hide behind legitimate
applications (script)
• Terdot Zbot (Zeus-based banking trojan)
• Uses a legitimate application (PHP)
• PHP is used to deploy obfuscated script
• Script decrypts and loads the malware
• The real malware is revealed in memory:
• no malicious PE file on the disk -> hard to detect!

[Link]
Hide code in the registry

• So called „fileless” malware


• Phasebot
• Poweliks
• Gootkit
• Kovter
• PoshSpy (APT29) using WMI component and PowerShell
• Others...
Hide code in the registry

• Trivial case - PE file saved in the registry key:


Hide code in the registry
(multilayer: Kovter)
• Kovter – a click-fraud malware
• Persistence is achieved by a basic Run key – but the flow leading to the malicious
executable is obfuscated

• The malicious PE is stored in the registry in encrypted form

• Multiple layers till the real payload is loaded...

[Link]
Hide code in the registry
(multilayer: Kovter)

[Link]
Abusing AppInit_DLLs

• Define DLLs that are injected to every application that uses [Link]:

UAC
Bypass
required

Disabled in Win 8
and above, when
secure boot is
enabled

[Link]
Abusing AppInit_DLLs

• Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 32 bit OS + 32 bit DLL


NT\CurrentVersion\Windows\AppInit_DLLs Or
64 bit OS + 64 bit DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\
64 bit OS + 32 bit DLL
Windows NT\CurrentVersion\Windows\AppInit_DLLs

[Link]
Abusing shim databases

• Microsoft Application Compatibility Toolkit – creates patches:

[Link]
Abusing shim databases

• Shim Database
• Allows setting automated injection of a patch into selected application
• Can be used to automatically load malicious modules when the target
application is deployed (DLL, shellcode, etc)
• Installation requires elevated privileges

UAC
Bypass
required

[Link]
Abusing shim databases

• [Link] – standard Windows tool, manages patches (.sdb)


sdbinst /q <path_to_shim_db>.sdb

• Example: Ramnit malware deploying sdbinst

UAC
Bypass
required

[Link]
[Link]/sample/c823183b49148e7e60d84142ccefc8fe16fe44bec94d5eabdbd623c65cdaff8c?environmen
tId=100/
Abusing shim databases

• To trigger less alerts, install a shim without [Link]


• Example of edited keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\InstalledSDB\{7c6002f0-559a-488a-9fc1-bd54c33fdfa9}]
"DatabasePath"=<path_to_shim>.sdb
"DatabaseType"=dword:00010000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Custom\<shimmed_app>.exe]
"{7c6002f0-559a-488a-9fc1-bd54c33fdfa9}.sdb"=hex(b):90,58,2d,0d,1a,b7,d2,01

[Link]
COM Hijacking

• COM – Component Object Model


• „enables interaction between software components through the operating
system”
• Identified by CLSID – examples:
{3543619C-D563-43f7-95EA-4DA7E1CC396A} – Shell Icon Overlay Handler
{BCDE0395-E52F-467C-8E3D-C4579291692E} - MMDevice Manipulator

More: [Link]
us/library/accessibility(v=vs.110).aspx

[Link]
COM Hijacking

• Substitute legitimate COM by your own


• When the application using the defined COM is loaded, malware is executed
• Keys: 32 bit OS + 32 bit DLL
Or
64 bit OS + 64 bit DLL

HKCU\Software\Classes\CLSID\[hijacked CLSID]\InprocServer32

HKCU\Software\Classes\Wow6432Node\CLSID\[hijacked CLSID]\InprocServer32

64 bit OS + 32 bit DLL

[Link]
COM Hijacking

• Examples:
[HKEY_CURRENT_USER\Software\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-
C4579291692E}\InprocServer32]
@="C:\\ProgramData\\[Link]"
"ThreadingModel"="Apartment

[HKEY_USERS\S-1-5-21-1929933236-2258453022-3626796957-
1000_Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32]
@="C:\\ProgramData\\[Link]"
"ThreadingModel"="Apartment

[Link]
User-triggered persistence: link
hijacking
• Example: Spora ransomware
HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\IsShortcut

[Link]
User-triggered persistence: link
hijacking
• Hijacking in the style of Spora ransomware:
1. Disable showing link indicators:
• Delete:
HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\IsShortcut
2. Hide folders and substitute them by links
3. Clicking the link causes opening the original program + deploying the
dropped malware

[Link]
User-triggered persistence: link
hijacking
• Similarly: existing shortcuts can be overwritten by shortcuts
deploying malware

C:\ProgramData\[Link]
C:\totalcmd\[Link]

[Link]
User-triggered persistence
(handler hijacking)

extension
handler

[Link]
User-triggered persistence
(handler hijacking)

Hijack the handler

handler
genuine app
malicious app

[Link]
User-triggered persistence
(handler hijacking)
• Applications handling particular extensions are defined in the registry
• Globally defined extensions and handlers, in:
• HKEY_CLASSES_ROOT
• It can be also defined per user:
• HKEY_USERS -> <user SID>_Classes
• Redefine a handler: no Administrator rights required

[Link]
User-triggered persistence
(handler hijacking)
• When the user click a file with hijacked extension, the malware is deployed
• DEMO:
• [Link]

[Link]
Conclusions

• Authors of the malware are very creative in finding new ways of hiding
persistence
• The easiest way to detect the persistence method is by observing the
installation – post-infection analysis is much harder
• „Fileless” malware also creates artifacts that can be found in a typical way

You might also like