I know that if you were to gain access to a system and restart it, an implanted backdoor would be killed. Or if you were to locate the backdoor in task manager you would be able to kill it. However, I'm interested to know other than adding to the windows registry and startup folder how else could a backdoor gain persistence?
6
-
4Removing the registry as the central configuration point of windows from the options, there is not much left; a service could be added - but that‘s in the registry. This only leaves patching the code into executables that get executed on startup.– Tobi NaryCommented Oct 4, 2017 at 8:13
-
1@SmokeDispenser sounds like a well-formed answer (also implanting into firmware)– schroeder ♦Commented Oct 4, 2017 at 8:51
-
Look into rootkits, this is basically covering this in the most general sense.– ValityCommented Oct 4, 2017 at 22:40
-
The Start-up folder in the windows start menu still works, as far as restarting the pc is concerned. If you had 2 different executables teaming to keep each other running they become a lot harder to kill as well.– ShadowCommented Oct 4, 2017 at 23:00
-
There are a lot of not-obvious places in the registry that can be used for persistence; don't just assume it's the Run/RunOnce type keys.– JoeCommented Oct 5, 2017 at 12:08
|
Show 1 more comment
3 Answers
You just need a way of reliably starting the process after the machine has booted.
This can range from -
- asking Windows or another process to start it on boot (service, startup application etc)
- Replacing or patching an executable or library known to be called at or soon after boot. This can include drivers.
- Hijacking a common user action - for example modifying Google Chrome shortcuts to launch your own process (which in turn starts the original application to stop the user realizing).
- Replace / patch bios / firmware running on a hardware device.
- Use a bootkit / hypervisor to start your code before the operating system.
- Physical hardware based attack - something like a malicious RAM module that injects code.
You can also do things like modify the firewall and service settings to allow reinfection remotely.
-
4Or the process could be started before the OS boots, as with firmware, bootkit, blue pill (virtualisation) and other similar attacks. Some of these require physical access, but all are much harder to detect and remove– timuzhtiCommented Oct 4, 2017 at 12:26
-
Adding a local user, changing firewall settings, replacing a binary, adding ca certs.....– symcbeanCommented Oct 4, 2017 at 15:13
-
2The hard drive BIOS hack was a pretty neat way to subvert the system checks. The virus would infect an executable on the fly as it was loaded from the hard drive. - wired.com/2015/02/nsa-firmware-hacking– KalleMPCommented Oct 4, 2017 at 20:28
-
-
Or by having a external service that reconnects with the hacked device using information obtained by the first breach (obtain password => ssh into device at regular intervals re enabling the backdoor)– ThijserCommented Oct 5, 2017 at 12:02
Persistence is always the central point of any infection to keep it simple, in addition to the use of windows Registry (since you seem talking only about Windows targets) malwares can use these techniques in order to persist :
And the list can grow to the infinite its all about how clever are the developers :)
You can get an idea of the lots of different ways of AutoStarting something by checking out the tabs that the free Autoruns utility has (from SysInternals/Microsoft, available at https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
see below the number of tabs at this screenshot from the MSDN doc page, I can count 18 tabs apart from the "Everything" one
