Masters Thesis

Malware Persistence Mechanisms

In the public imagination Cybersecurity is very much about malware, even though malware constitutes only part of all the threats faced by Cybersecurity experts. However, malware is still one of the best methods to gain persistent access and control of a target system. There are many methods to deploy malware to a target system, a common method is a well socially-engineered phishing attack that deceives a user to gain a foothold on a system. Once the attacker gains a beachhead in the victim’s network, it may be used to download additional payloads and exploit vulnerabilities, to gain more control and access within a network. Using malware as their foothold, attackers are able to to conduct reconnaissance, gather intelligence (e.g., exfiltration of intellectual property) or simply inflict damage or extortion (e.g., ransomware). All of this has to be done in a way that allows an attacker to retain access for as long as possible; the ability to do so is called persistence, and this thesis examines some of the different techniques used by malware authors to accomplish persistence in an ever evolving landscape. In the second section of this thesis we propose an architecture for detecting malware persistence mechanisms, and give examples to detect the malware that we cover in the first section.