Persistency in Windows
In Windows, the malware is presented with lots of options to autostart, including similar methods used in DOS such as hijacking the boot sector and infecting system files. Although these two methods are still applicable, the twist here is that the boot-sector code and file-infecting mechanism must conform to Windows. A boot virus that is written for DOS will not work on modern Windows. The same goes for infection routines.
Autoexec.bat is not utilized anymore in Windows. The equivalent of this is the StartUp folder where executables and links to executables are placed if they are needed to autostart. Windows also has a Task Scheduler that a malware can utilize. The Microsoft Task Scheduler enables a user to schedule tasks to automate periodic execution of a desired program such as the Disk Defragmenter, which can be scheduled to run every Sunday at 3:00 a.m. Malware utilizes this by setting itself up as a scheduled task. The malware can then choose to run every bootup; upon logon; one time only; or on a periodic basis like daily, weekly, or monthly.
Aside from all of these available options to autostart, especially by noninfecting malware, the malware can also utilize key configuration settings found in the Windows registry. As defined by Microsoft, the registry is a database where Windows stores its configuration information. It contains profiles for each user of the computer and information about system hardware, installed programs, and property settings. Windows continually references this information during its operation. So for Windows malware to autostart every bootup, it needs to modify some entries in the Windows registry to achieve persistency. The malware modifies the registry by adding its own registry value under a specific registry key to achieve the result it wants.
Depending on the nature of the malware and how it wants to operate, the registry offers the following commonly used options that enable the malware to set when or how it will start up:
- Boot execution
- HKLM\System\CurrentControlSet\Control\Session Manager
- Loading of driver and services
- HKLM\System\CurrentControlSet\Services
- Upon logon
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Active Setup\Installed Components
- Loading of Explorer shell extensions
- HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\Directory\ShellEx\DragDropHandlers
- HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
- Loading of browser extensions
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKLM\Software\Microsoft\Internet Explorer\Extensions
This article is an excerpt from Malware, Rootkits & Botnets: A Beginner’s Guide published by McGraw Hill. Visit Amazon to purchase the book.
All information in this article is copyrighted by McGraw Hill and is reprinted here by express permission of the publisher.