Common malware persistence mechanisms
As we know, malware becomes stealthier by somehow achieving persistence on the exploited machine. This helps malware authors to inject/exploit once, and the malware will continue to act even after restarts/reboots/log-offs, etc. In this article, we will focus only on Windows as it has a lot of areas like Autostart Extension Points (ASEP) through which persistence can be achieved. This article will contain the common ways of achieving it and is by no means is an exhaustive list to achieve persistence on a Windows machine.
Become a certified reverse engineer!
Common ways of achieving persistence used by malware
Modifying registry keys
Modifying registry keys are often used by malware to achieve persistence on a system. Below are some of the most common registry values/locations exploited by malware.
Run/RunOnce keys
As I stated above windows has a lot of AutoStart Extension Points(ASEP). When it comes to malware, most of them would like to achieve persistence by editing the below registry keys:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
The above-listed keys are at the user level and are often used by malware analysis to achieve persistence if not able to exploit the admin/system-level privileges.
Otherwise, malware infects these keys at the system level
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
BootExecute key
Since smss.exe launches before the Windows subsystem loads, it calls configuration subsystem to load the hive present at HKLMSYSTEMCurrentControlSetControlhivelist. Also, smss.exe will launch anything present in the BootExecute key at HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSession Manager. It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.
Keys used by WinLogon process
- Userinit Key
Winlogon process uses the value specified in the Userinit key to launch login scripts etc. This key is located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon. Usually, userinit key points to userinit.exe but if this key can be altered, then that exe will also launch by Winlogon.
- Notify
Since Winlogon handles Secure Attention Sequence (SAS) (Ctrl+Alt+Del), notify subkeys found at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify are used to notify event handles when SAS happens and loads a DLL. This DLL can be edited to launch whenever such SAS event occurs.
- Explorer.exe
Pointed by key located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell, this key points to explorer.exe(Windows interface) and should only be string explorer.exe rather than complete path as it is supposed to launch from windows. The boot key at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingsystem.iniboot points to the location under Winlogon only.
Startup Keys
Placing a malicious file under the startup directory is often used by malware authors. Any shortcut created to the location pointed by subkey Startup will launch the service during logon/reboot. Start-up location is specified both at Local Machine and Current User.
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
Services
- Many windows services are required to run at boot like Workstation/server services, Windows Event Log, and other Win drivers. These are located at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices.
- Along with placing a malicious file in the above-listed registry key, there is another way to load malicious files. Malicious files can be loaded if a service fails to start. For example below screenshot shows how RDP failure can be used to run a program.
- There are some other keys that are used to start background services like remote registry service. These are located at:
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
Browser Helper Objects(BHO)
- It is essentially a DLL module loaded when Internet Explorer starts up. Various data theft types malware affect BHO. They are located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects. There are various subkeys under BHO which tell the browser to load which DLLs.
AppInit_DLLs
- Key located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs will show the DLLs loaded by the User32.dll. As most executables load User32.dll, this is a good place for malicious DLLs to reside.
File Association keys
- Located at HKEY_LOCAL_MACHINESoftwareClasses and HKEY_CLASSES_ROOT; there are various keys which are used to specify the action when a certain type of files are open. For example below is the Command value when a txt file is opened in my system HKEY_CLASSES_ROOTtextfileshellopencommand
DLL Search Order Hijacking
Another common method used by malware is to hijack a concept about how the OS loads DLLs. Whenever an exe loads (even explorer.exe), it follows a certain path search to load the required DLLs. Because DLLs are loaded in the order the directories are parsed, it is possible to add a malicious DLL with the same name in a directory earlier than the directory where the legit DLL resides. If Safe DLL search mode is enabled (which is by default on most versions) then OS will check whether the DLL is already loaded in memory or is it a part of Known DLLs registry key located at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerKnownDLLs. If OS cannot find the DLL at either of these, then DLL search starts in the following order
- The directory from where the application was launched
- System Directory(C:WindowsSystem32)
- Windows Directory
- Current Working Directory
- Directories are defined in the PATH variable.
So malware can easily place a malicious DLL in the search order. More details about this can be found here.
Shortcut Hijacking
Another simple but very effective technique is to hijack the shortcut icons Target attribute. Along with a normal application to be launched, shortcut icon can be forced to download content from an evil site.
Note that there are various other methods like infecting MBR, COM object hijack, etc. are also by malware, but above are some of the common methods used by malware to achieve persistence.
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Common malware persistence mechanisms
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis