A security researcher from Norway has discovered a new trick that can allow malware to persist on infected systems after reboots.
In infosec circles, the term for this is “persistence” and refers to a malware strain’s ability to start right back up after a system reboot.
There are various ways in which malware authors obtain boot persistence, such as by modifying boot sectors, hijacking the Windows COM system, or by hijacking DLLs and shortcut files.
But, by far, the most popular method remains using the Windows Registry to add registry keys that call the malware’s process on boot-up.
Oddvar Moe, a Norwegian blogger and Windows security specialist, has recently discovered a new and somewhat clever way of abusing the Windows Registry to trick Windows into running a malware’s process after a boot-up.
Moe’s new method only works on Windows 10, and only with apps developed for the Universal Windows Platform, a new Windows runtime system that Microsoft launched back in 2015.
In an interview with ZDNet, Moe said the technique should work with any UWP apps, but it is only useful when used with UWP apps that Windows 10 runs automatically after boot-up –such as Cortana and the People app.
“If an attacker targets other apps, the user needs to run that app mnually for it to run the planted binary,” Moe told ZDNet regarding using the technique with non-startup UWP apps.
The trick, according to Moe, is that right after infecting a system, a malware strain can add a registry key that modifies that UWP app’s boot-up settings.
The next time the user reboots his computer, this new registry key puts the UWP app in debug mode and optionally runs another app, a debugger to help a user or developer see what may be wrong with the UWP app.
But Moe says malware authors can change this debugger app to anything they want, including a malware’s process.
And there are some benefits to Moe’s method. The biggest is that a hijacked Cortana or People app does not show up in the Windows 10 list of auto-running apps (the Autorun list), hiding it from the view of suspicious sysadmins.
Furthermore, the technique does not need admin privileges to add the registry keys it needs. All an attacker needs to do is to infect a user –either via social engineering or drive-by downloads.
The researcher says that he contacted Microsoft about his finding, but since the technique relies on malware already having a foothold on a system, his report was not classified as a security issue, hence it did not receive immediate servicing.
Depending on the complexity and features of your security software, some antivirus systems may be able to detect malware abusing this technique. But if the AV is not picking up the original malware or malicious code running on your system and making Windows Registry modifications, then that antivirus has a problem.
“It depends on the payload. If the payload is something that is not detected by AV it is not likely that it will trigger,” Moe told us.
For the ZDNet readers interested in finding out what registry keys this technique abuses, more details are available in Moe’s technical write-up.
“I do believe that this registry location was not known by any up until the point I released my blog post,” Moe told ZDNet today.