Wipe The Drive!!! - Techniques For Malware Persistence presented at Shmoocon 2013

by Mark Baggett, Jake Williams,

Summary : Let’s face it: sooner or later you will be owned. As a security professional, you (should) know that the best plan is to format the system drive, reinstall the operating system, and start over. But management has another plan. They know that rebuilding infrastructure from scratch involves costly downtime. The temptation to remove the obvious malware and declare the system clean is strong.
In session, we’ll demonstrate eight less than obvious techniques that can be used to install secondary persistence techniques on a compromised Windows system.
The point of the session is not to address specific techniques that can be used as secondary persistence mechanisms for malicious actors. The idea is to conclusively demonstrate that techniques of this type exist that hide deep in the registry and other system settings. We will show that these techniques hide even from memory forensics, the holy grail of “clean system” confirmation.
Not that we consider it a substitute for formatting and re-installing the operating system, but we will be releasing a script that checks for the use of these specific techniques.