Sticking Around: Common Windows Malware Persistence Mechanisms
Malware authors put a lot of time and effort into writing their malware and finding ways to get it installed and running on target machines. If users could get rid of malware for good by just closing it or restarting their computer, then these attackers would have put in a lot of work for minimal payoff. But hackers leverage malware persistence mechanisms to be sure their creations stick around.
What are Malware Persistence Mechanisms?
Malware persistence mechanisms are different methods developed to allow malware to stick around and resume running after being closed or having the target computer restart. In this post, we’ll discuss some of the most common persistence mechanisms for Windows malware and how to defeat them.
Bootkits are boot malware that achieves persistence by inserting itself into the Windows startup procedure. In order to know what to do when it turns on, a computer needs instructions on what programs to run and in what order they should be executed. After the computer’s hardware is initialized via the BIOS, Windows machines follow the instructions encoded in the Master Boot Record (MBR) and then the Volume Boot Record (VBR).
The code contained in the MBR and VBR is always executed at computer startup since it is the hand off between the logic encoded in the computer hardware to the software-encoded logic of the operating system.
Bootkits operate by modifying the code contained in the MBR and/or the VBR. Since the code at these locations is always executed on computer startup, it allows the malware to get up and running before any antivirus or similar programs start running. If you suspect that a computer has been infected with a bootkit, the best way to deal with the boot malware is to completely wipe and reinstall the machine’s operating system.
DLL Search Order Hijacking
It is not uncommon for computer applications to need to launch other applications to function. For example, you may have a videoconferencing program that ties into your calendar application to allow you to schedule meetings from within the program. For this to work, the videoconferencing tool needs to be able to run the calendar app, which means that it needs to find where the program is saved in the Windows file system.
The places that the videoconferencing program will look for the calendar app are:
- Folder where the application is stored
- Current directory
- Directories listed in system Path
Windows will start with the first location and search it completely before moving onto the next. If the calendar app is in none of the listed locations, the videoconferencing app will return an error.
This strict ordering gives malware an opportunity to implement a persistence mechanism.
Windows only looks for a file of the right name in each location. If your calendar app is located in the C:\Windows\ folder (the fourth location on the list) and the attacker places a malicious program with the same name in the folder where the videoconferencing program is located (the first location on the list), attempts by the videoconferencing program to access the calendar will run the malware instead.
Detecting and removing malware using this persistence mechanism is largely a matter of paying attention and double-checking everything.
If you suspect that malware is running on a computer, you can check the processes currently running on the machine using Task Manager. By clicking on Properties for a given process, you can see the folder where it is located. If you’re suspicious, check folders lower on the search order for an identically named file.
The Windows Registry is like an employee’s work diary. It includes notes on permissions and roles assigned to different programs, lists of programs to run in certain situations, and other behind-the-scenes information that keeps the Windows operating system going.
Included in the Windows Registry are several keys that state the appropriate actions in certain situations, including the following:
- AppInit_DLLs: DLLs loaded by User32.dll (commonly used by other programs)
- BootExecute: Programs launched by smss.exe at system startup
- Browser Helper Objects: DLLs run by Internet Explorer when it starts
- File Association: Program(s) to be run when a file of a certain type is opened
- Notify: Programs to be run when user types Ctrl-Alt-Del
- Run/RunOnce: Programs run when a user logs in
- Services: Windows services executed at startup
- Shell: Should point to explorer.exe, tells Windows the save location of the command line
- Startup: Windows services executed at startup
Malware can take advantage of these registry keys by inserting itself into the list of programs to be run under certain situations. If a situation is common (i.e. system startup or opening a commonly-used file format), the malware has a high probability of being executed soon after a system reboot. Removing malware using this persistence mechanism involves checking the values for each of these registry keys for anomalous entries.
COM Object Hijacking
The Microsoft Component Object Model (COM) system is designed to help software interact by placing references to some commonly used code in the Windows registry. A program that wants to make use of a particular piece of code will look up its address in the registry and run the code located at that address.
Like DLL Search Order Hijacking, COM Object Hijacking is based on the order in which Windows looks for the desired program. COM objects are stored in two places in the registry:
Windows loads the objects located in HKEY_CURRENT_USER before those located in HKEY_LOCAL_MACHINE, and, if a conflict exists, the code listed in HKEY_CURRENT_USER wins. Malware can take advantage of this by placing a reference to malicious code in HKEY_CURRENT_USER with the same name as a commonly used COM object from HKEY_LOCAL_MACHINE. When a program requests the COM object, the malware will execute and then, most likely, execute the non-malicious code as well to deflect suspicion.
Detecting and removing this type of persistence mechanism involves inspecting the COM objects listed in both locations and investigating any suspicious ones.
While creating a malicious object with the same name as a benign object is one way of misusing COM objects, objects that have unique names are not necessarily benign. Benign software can be modified, or malicious software written, to call a malicious COM object with no benign counterpart. Any anomalous or suspicious COM objects located during an investigation should be checked.
Windows Shortcuts are designed to be an icon-based replacement for a command line instruction. This means the target of a shortcut can include additional instructions beyond the location and name of the application to be executed.
For example, setting the target (under Properties) of a Google Chrome shortcut to “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” http://www.swordshield.com will cause the shortcut to automatically open the Sword & Shield website in Chrome when clicked.
Malware can take advantage of this functionality as a reinfection and persistence mechanism.
By modifying the target of a web browser’s shortcut to point to a malicious website, an attacker can make it so that opening a web browser via the shortcut downloads malicious content to the computer.
Removing this persistence mechanism involves inspecting and sanitizing the targets of infected shortcuts. By right-clicking on the shortcut icon and selecting Properties, the shortcut’s target is revealed. Modification of the target requires Administrator privileges on Windows.
Eradicating Persistent Malware
Malware persistence mechanisms are designed to make it difficult to eradicate malware from an infected machine. The mechanisms described in this post are the most commonly-used methods for Windows computers, but other techniques exist as well.
If you know what you are doing, tracking down and removing malware persistence measures is fairly straightforward; however, the variety of techniques in use means that you will most likely come across an unfamiliar one eventually. If you’re dealing with a malware infection that just keeps coming back and you don’t know why, it’s probably best to call in an expert to guarantee that the infection is removed completely and prevented from spreading throughout your network.
If you need assistance in removing persistent malware from your systems, contact Sword & Shield for a free consultation.