Tag Archives: Malware Persistence

Techniques for Malware Persistence. Part 3.

Jake Williams: So, service failover is the next technique we’re going to talk about. Services failovers are all kinds of cool. We can take an existing service, a legitimate service; I think every forensics professional here knows you got to go through the service – we’re not interested in that. We’re looking at using an actual service failover. So we’re going to piggyback on an existing service, maybe even something cool like antivirus – that’s a big one that you always want to attack. I always liked to attack an antivirus.

Techniques for Malware Persistence. Part 2.

Jake Williams: How many of you guys are government employees or card-carrying members of the infamous CatCard? Yeah, it’s cool – I wouldn’t raise my hand either. So, one of the emails that we got – this is really interesting – actually involved some of the CatCard reader software installed on the “Golden Images” all around some US Government organizations. And so, what turns out is when you put your card in, then it launches the program to handle it. Program.exe then not only executes at some time in the future, but at some time that we can social-engineer in the future. Maybe we social-engineer the user of the machine that we’ve left program.exe on, say: “Hey, do something that would require you to insert your CatCard at this point.” Or maybe they’ll just insert their CatCard to log on – and then again we’re right back in business: when it launches, their credentials can be stolen.

Wipe the Drive Dude! Techniques for Malware Persistence

Jake Williams: Hi! I’m Jake Williams. I’m a Principal Forensic Analyst for CSRgroup; I’m a SANS Forensics 610 Instructor – that’s, not surprisingly, malware. I’m doing research right now on cloud forensics, and I like to break poorly written software because…who doesn’t?