Malware persistence is a crucial aspect of cyber threats that often goes unnoticed by unsuspecting users. In the realm of cybersecurity, it refers to the ability of malicious software to establish a foothold on a targeted system, allowing it to maintain its presence over an extended period. This persistence is achieved through various covert techniques, enabling the malware to evade detection and removal attempts. Understanding the significance of malware persistence is essential for individuals and organizations alike, as it enables them to mitigate risks by implementing effective security measures. By comprehending the intricacies of this relentless adversary, we can better equip ourselves to combat the ever-evolving landscape of cyber threats.

Most Known Widows Persistence Locations

Malicious software employs various techniques and locations to establish a long-term presence on compromised systems, evading detection and making removal attempts challenging. Here are some of the most common Windows persistence locations used by malware, along with a brief explanation and a source code snippet showcasing each technique:

1. Registry Run Keys

Explanation: Malware can add entries to specific registry keys responsible for launching programs during system startup. For example:

# Add malicious entry to HKCU Run key
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Malware' -Value 'C:\Malware.exe'

2. Startup Folder

Explanation: By placing a shortcut or executable in the Startup folder, malware ensures it runs automatically after user login. For example (VBScript):

' Create shortcut to malware and place it in the Startup folder
Set Shell = CreateObject("WScript.Shell")
StartupFolder = Shell.SpecialFolders("Startup")
ShortcutPath = StartupFolder & "\Malware.lnk"

Set Shortcut = Shell.CreateShortcut(ShortcutPath)
Shortcut.TargetPath = "C:\Malware.exe"
Shortcut.Save

3. Windows Services

Explanation: Malware can disguise itself as a legitimate Windows service, running in the background and executing malicious actions. For exmaple (C#):

// Install malware as a Windows service
using System;
using System.ServiceProcess;

public partial class MalwareService : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        // Malicious actions here
    }

    protected override void OnStop()
    {
        // Clean up and exit
    }    
}

4. Scheduled Tasks

Explanation: Malware can create scheduled tasks that run at specific times or events, ensuring persistence and periodic execution. For example (PowerShell):

# Create scheduled task to execute malware
$Action = New-ScheduledTaskAction -Execute 'C:\Malware.exe'
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName 'MalwareTask'

5. Browser Extensions

Explanation: Malicious browser extensions can be installed, allowing malware to remain active and interact with users’ browsing sessions. For example (JavaScript):

// Malicious browser extension code
chrome.runtime.onInstalled.addListener(function() {
    // Execute malicious actions here
});

6. AppInit_DLLs

Explanation: By modifying the AppInit_DLLs registry value, malware can inject itself into every process that loads a DLL, enabling persistent malicious behavior. For example (C++):

// Modify AppInit_DLLs registry value to load malware DLL
HKEY hKey;
RegOpenKey(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"), &hKey);
RegSetValueEx(hKey, TEXT("AppInit_DLLs"), 0, REG_SZ, (LPBYTE)"C:\\Malware.dll", 14);
RegCloseKey(hKey);

7. Rootkit Techniques

Explanation: Advanced malware may use rootkit techniques to hide its presence from the operating system, making it extremely difficult to detect or remove. Rootkit techniques involve complex manipulation of system internals, and their implementation cannot be adequately covered in this short code snippet.

Most Known Linux Persistence Locations

Here are some of the most common Linux persistence locations used by malware along with a brief explanation and a source code snippet showcasing each technique:

1. Cron Jobs

Explanation: Malware can create cron jobs, which are scheduled tasks that automatically run at specific intervals. By adding a malicious command to the cron table, malware ensures its persistence. For example:

# Add a malicious cron job
echo "* * * * * /usr/bin/malware" >> /etc/crontab

2. Systemd Units

Explanation: Malware can create systemd units, which are service files that define how a service should be started, stopped, and maintained. By creating a systemd unit, malware ensures its automatic execution. For example:

# Create a malicious systemd unit
[Unit]
Description=Malware

[Service]
ExecStart=/usr/bin/malware

[Install]
WantedBy=multi-user.target

3. Startup Scripts

Explanation: Malware can modify startup scripts, which are executed during the boot process. By inserting a malicious command into a startup script, malware ensures its execution upon system startup. For example:

# Insert a malicious command into a startup script
echo "/usr/bin/malware" >> /etc/rc.local

4. User Init Scripts

Explanation: Malware can modify user-specific initialization scripts, which are executed when a user logs in. By adding a malicious command to the user’s init script, malware ensures its persistence upon user login. For example:

# Add a malicious command to a user's init script
echo "/usr/bin/malware" >> ~/.bashrc

5. Shared Object Injection

Explanation: Malware can modify shared object files to inject malicious code into legitimate executables. By manipulating shared libraries, malware ensures its code is executed whenever the respective program is run. For example:

# Inject malicious code into a shared object file
gcc -shared -fPIC -o /usr/lib/libmylib.so /path/to/malware.c
echo "/usr/lib/libmylib.so" >> /etc/ld.so.preload

6. /etc/profile and /etc/bash.bashrc Modifications

Explanation: Malware can modify system-wide profile and bashrc files to execute malicious commands whenever a user logs in. By adding malicious code to these files, malware ensures its persistence for all users. For example:

# Modify /etc/profile to include a malicious command
echo "/usr/bin/malware" >> /etc/profile

# Modify /etc/bash.bashrc to include a malicious command
echo "/usr/bin/malware" >> /etc/bash.bashrc

7. /etc/ld.so.preload Manipulation

Explanation: Malware can modify the ld.so.preload file to specify shared libraries that should be loaded before others. By adding a malicious library to this file, malware ensures its code is executed by any program using the dynamic linker. For example:

# Manipulate /etc/ld.so.preload to load a malicious library
echo "/usr/lib/libmymalware.so" >> /etc/ld.so.preload

Conclusions

These are just a few examples of the numerous persistence locations used by malware in both Microsoft Windows and in most common Linux systems derived from my own analysis experience. It is crucial for individuals and organizations to proactively implement robust security measures and regularly update their systems to defend against evolving threats. Understanding these persistence techniques empowers us to better combat the relentless adversaries present in the ever-evolving landscape of cyber threats.

I did used AI as a tool to help me in writing some piece of code, and it has been cool !