Persistence is a critical aspect of malware behavior that ensures the malicious software remains active and continues to execute after system reboots, user logouts, or even when detected by antivirus software.
Malware authors employ various techniques to achieve persistence, with “Die Hard Persistence” being one of the more sophisticated and resilient methods. Below, I’ll explore this technique alongside other common persistence mechanisms, with code examples where applicable.
1. Die Hard Persistence
Die Hard Persistence is a term often used to describe advanced malware persistence techniques that are extremely difficult to remove. These techniques involve multiple layers of redundancy and resilience, making it almost impossible to eradicate the malware without completely reformatting the system. Here’s a breakdown of some methods used under this umbrella:
A. Kernel-Level Rootkits
A kernel-level rootkit is a type of malware that operates with the highest privileges on the system (ring 0 in x86 architecture). It can hook system calls, modify kernel data structures, and remain hidden from detection tools.
Example: DKOM (Direct Kernel Object Manipulation)
This technique involves modifying the list of processes in the kernel to hide the malware process. Here’s a pseudocode example:
// Assuming we have a pointer to the kernel's process list: struct task_struct *prev_task = current_task->prev; struct task_struct *next_task = current_task->next; // Hide the process by unlinking it from the task list prev_task->next = next_task; next_task->prev = prev_task;
B. Firmware-Level Persistence
Malware can be embedded into firmware such as BIOS/UEFI, network card firmware, or hard drive firmware. This level of persistence is particularly resilient as it survives OS reinstallation.
Example: UEFI Malware
UEFI malware may write itself to the SPI flash memory, ensuring it is loaded every time the system boots. An example of this technique is the infamous “LoJax” malware:
# Example to read and write to UEFI firmware # This requires physical access or privilege escalation to access the UEFI settings # Dump UEFI firmware sudo flashrom -p internal -r uefi_firmware.bin # Modify the dumped firmware to include the malicious code (not shown here for brevity) # Write the modified firmware back sudo flashrom -p internal -w modified_uefi_firmware.bin
2. Registry-Based Persistence (Windows)
One of the most common persistence techniques involves creating or modifying registry keys to ensure malware executes on system startup.
Example: Adding an Entry to Run Key
# This command adds a registry entry to run a script on startup Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MyMalware" -Value "C:\malicious\script.ps1"
3. Scheduled Tasks (Windows)
Malware can create scheduled tasks to execute at regular intervals or at startup, ensuring persistence.
Example: Creating a Scheduled Task
# Create a scheduled task that runs a script every hour $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "C:\malicious\script.ps1" $trigger = New-ScheduledTaskTrigger -Hourly -At "00:00" Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "MyMalwareTask"
4. Launch Daemons and Agents (macOS)
On macOS, malware can achieve persistence by installing launch daemons or agents.
Example: Creating a Launch Daemon
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.my.malware</string>
<key>ProgramArguments</key>
<array>
<string>/path/to/malware</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>Save this as com.my.malware.plist in /Library/LaunchDaemons/ to ensure the malware runs on startup.
5. Browser Extensions
Malware can also persist by installing itself as a browser extension. This method is particularly stealthy because it leverages the browser’s functionality to run malicious code.
Example: Malicious Chrome Extension
{
"manifest_version": 2,
"name": "MyMaliciousExtension",
"version": "1.0",
"background": {
"scripts": ["background.js"]
},
"permissions": ["tabs", "<all_urls>"],
"browser_action": {
"default_popup": "popup.html"
}
}The background.js could contain code to inject scripts into every webpage visited.
6. WMI Event Subscription (Windows)
Windows Management Instrumentation (WMI) can be used to create event subscriptions that execute a script or binary whenever a specific event occurs (e.g., user login).
Example: Creating a WMI Subscription
$filter = Set-WmiInstance -Namespace "root\subscription" -Class __EventFilter -Arguments @{
Name = "MyFilter"
EventNamespace = "root\cimv2"
QueryLanguage = "WQL"
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'"
}
$consumer = Set-WmiInstance -Namespace "root\subscription" -Class CommandLineEventConsumer -Arguments @{
Name = "MyConsumer"
CommandLineTemplate = "powershell.exe -ExecutionPolicy Bypass -File C:\malicious\script.ps1"
}
Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{
Filter = $filter
Consumer = $consumer
}Great! Let’s dive into methods for detecting and removing persistent threats and how advanced Endpoint Detection and Response (EDR) solutions combat these techniques.
Detecting and Removing Persistent Threats
1.Manual Inspection Techniques
Registry Monitoring (Windows):
Regularly monitor critical registry keys where malware typically establishes persistence, such as:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Run
You can use PowerShell to check for unusual entries:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" |
Where-Object { $_.PSChildName -ne "ExpectedProgram" }- File Integrity Monitoring: Use tools like Tripwire or OSSEC to monitor file integrity, especially in system directories and known startup paths.
Scheduled Tasks Analysis:
List all scheduled tasks to identify any unauthorized or suspicious tasks:
Get-ScheduledTask | Where-Object {$_.TaskName -notlike "*Microsoft*"} | Format-Table TaskName, State, Actions
WMI Persistence Detection:
WMI event subscriptions can be tricky to find. Use wmic or PowerShell to list subscriptions:
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding
2.Automated Detection Techniques
Anti-Malware and EDR Solutions:
Advanced EDR tools such as CrowdStrike Falcon, Carbon Black, or Microsoft Defender ATP use behavioral analysis and threat intelligence to detect persistence mechanisms. These tools monitor system changes, unusual process behaviors, and network activity to flag potential threats.
YARA Rules:
Use YARA rules to scan for specific malware signatures or behaviors. YARA rules can be customized to detect specific persistence techniques by matching known patterns in files, processes, or registry entries.
rule Detect_Persistence_Technique {
strings:
$s1 = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
$s2 = "CreateService"
condition:
any of ($s*)
}3.Firmware Analysis Tools:
Detecting firmware-level persistence requires specialized tools:
- Chipsec: An open-source framework for analyzing firmware, including UEFI, to detect modifications.
- UEFITool: Useful for inspecting and modifying UEFI firmware images.
Example of using Chipsec:
sudo chipsec_main.py -m uefi --no-driver
4.Mitigation and Remediation
- System Hardening:
- Implement security best practices, such as Least Privilege and Application Whitelisting.
- Regularly patch and update systems to close vulnerabilities that malware exploits for persistence.
- Rootkit Removal Tools: Tools like GMER and Malwarebytes Anti-Rootkit can help identify and remove rootkits that persist through kernel-level access.
- UEFI/BIOS Reflashing: If malware has infected the firmware, a BIOS/UEFI reflash with a clean image is necessary to remove it.
- Advanced Cleaning Techniques:
- Safe Mode: Booting in Safe Mode can disable some persistence mechanisms, allowing for easier removal.
- Offline Scanning: Use tools like Windows Defender Offline or Kaspersky Rescue Disk to scan the system without the OS running.
5.Advanced EDR Solutions in Action
- Behavioral Analysis:
- EDR solutions continuously monitor processes and network activity. Unusual behavior like new processes starting at boot time, modifications to the system registry, or unauthorized creation of scheduled tasks are flagged as suspicious.
- Incident Response and Forensics:
- EDR tools provide detailed logs and forensic data, enabling rapid investigation of how a threat entered the system, where it has spread, and what persistence mechanisms it employed.
- Some tools, like FireEye HX, allow live memory analysis to detect and remove in-memory threats that don’t leave traces on disk.
- Machine Learning and Threat Intelligence:
- EDRs use machine learning models trained on vast datasets to detect anomalies that indicate persistent malware.
- They integrate with threat intelligence feeds to stay updated on the latest persistence techniques used in the wild.
Malware persistence techniques range from simple registry entries to complex firmware modifications. Understanding these methods is crucial for both defending against and remediating infections. The examples provided offer a glimpse into how attackers ensure their malware continues to operate, evading detection and removal efforts.
Detecting and removing persistent threats requires a combination of manual inspection, automated tools, and a well-implemented EDR solution. While some techniques can be managed with basic tools, sophisticated threats often require advanced analysis and remediation steps.
