Rootkit components may be delivered as embedded components
within the initial malware payload as described earlier, or downloaded as secondary stages
following initial malware infection. Services implemented by rootkit components include
but are not limited to process hiding, file hiding, key logging, and network socket hiding.
Persistence Measures
Most malware takes steps to ensure that it will continue to run even after a system has
been restarted. Achieving some degree of persistence eliminates the requirement to reinfect
a machine every time the machine is rebooted. As with other malware behaviors,
the manner in which persistence is achieved has grown more sophisticated over time.
The most basic forms of persistence are achieved by adding commands to system startup
scripts that cause the malware to execute. On Windows systems this evolved to making
specific registry modifications to achieve the same effect.
NOTE The Windows registry is a collection of system configuration values
that detail the hardware and software configuration for a given computer. A
registry contains keys, which loosely equate to directories; values, which
loosely equate to files; and data, which loosely equates to the content of those
files.
Pages:
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906