Wipe The Drive!!! - Techniques For Malware Persistence

ShmooCon IX - 2013

Presented by: Mark Baggett, Jake Williams
Date: Friday February 15, 2013
Time: 16:30 - 16:55
Location: Regency A
Track: One Track Mind

Let’s face it: sooner or later you will be owned. As a security professional, you (should) know that the best plan is to format the system drive, reinstall the operating system, and start over. But management has another plan. They know that rebuilding infrastructure from scratch involves costly downtime. The temptation to remove the obvious malware and declare the system clean is strong.

In session, we’ll demonstrate eight less than obvious techniques that can be used to install secondary persistence techniques on a compromised Windows system.

The point of the session is not to address specific techniques that can be used as secondary persistence mechanisms for malicious actors. The idea is to conclusively demonstrate that techniques of this type exist that hide deep in the registry and other system settings. We will show that these techniques hide even from memory forensics, the holy grail of “clean system” confirmation.

Not that we consider it a substitute for formatting and re-installing the operating system, but we will be releasing a script that checks for the use of these specific techniques.

Jake Williams

Jake Williams is a senior analyst at CSRgroup where he has over a decade of experience in systems engineering, computer security, forensics, and malware reverse engineering. Jake is actively pursuing a PhD in Computer Science and is seeking operational networks for validating research in malware detection (jwilliams@csr-group.com).

Mark Baggett

Mark Baggett is the Technical Advisor to the DoD for SANS. He is a former CISO with the GSE and a Master in Security Engineering. Mark is a SANS Instructor and blogger for Pauldotcom. and SANS Pen-testing. Mark is also a handler for the Internet Storm Center.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats