Wipe The Drive!!! - Techniques For Malware Persistence

Presented at ShmooCon IX (2013), Unknown date/time (Unknown duration).

Let's face it: sooner or later you will be owned. As a security professional, you (should) know that the best plan is to format the system drive, reinstall the operating system, and start over. But management has another plan. They know that rebuilding infrastructure from scratch involves costly downtime. The temptation to remove the obvious malware and declare the system clean is strong.

In session, we'll demonstrate eight less than obvious techniques that can be used to install secondary persistence techniques on a compromised Windows system.

The point of the session is not to address specific techniques that can be used as secondary persistence mechanisms for malicious actors. The idea is to conclusively demonstrate that techniques of this type exist that hide deep in the registry and other system settings. We will show that these techniques hide even from memory forensics, the holy grail of "clean system" confirmation.

Not that we consider it a substitute for formatting and re-installing the operating system, but we will be releasing a script that checks for the use of these specific techniques.


Presenters:

  • Mark Baggett
    Mark Baggett is the Technical Advisor to the DoD for SANS. He is a former CISO with the GSE and a Master in Security Engineering. Mark is a SANS Instructor and blogger for Pauldotcom. and SANS Pen-testing. Mark is also a handler for the Internet Storm Center.
  • Jake Williams
    Jake Williams is a senior analyst at CSRgroup where he has over a decade of experience in systems engineering, computer security, forensics, and malware reverse engineering. Jake is actively pursuing a PhD in Computer Science and is seeking operational networks for validating research in malware detection (jwilliams@csr-group.com).

Links:

Similar Presentations: