At Guidance Software, we’re honored to train and work alongside information security teams inside numerous global corporations and government agencies. This gives us an ideal vantage point from which to learn and incorporate the latest intelligence on attack methods and best-practices for incident response. So here’s a look at what we’ve gleaned from this year’s barrage of cyber-attacks.
The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!
A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.