1

I know that a malware could create a new Run registry key to make itself start at boot, but an user could simply remove the registry key and reboot and that would stop the virus, but this is usually not the case. I know that if a malware has adiminstrative rights it could replace a core windows program to be undetectable and persistent, but what if a malware doesn't have administrative rights? How can it defend against a user that removes its registry key?

ddev
  • 55
  • 1
  • 4
  • It could try and hide itself somewhere else where it would be likewise executed, or executed *eventually*. "How it can defend" assumes that it *can* defend. But then again, maybe it can't. – LSerni May 05 '19 at 16:30
  • This question is highly speculative.What malware are you talking about?How did you come to the conclusion?Maybe the malwares uses other form of persistance along with registry edit. – yeah_well May 05 '19 at 16:45
  • @VipulNair That is my question, how can it persist if the user removes the registry key? What are the other form of persistance it can use? By the way I'm not referring to any malware in particular, I'm just curious on how it can persist knowing that the user might find the registry key and delete the executable file. – ddev May 05 '19 at 16:53
  • A quick google will give you the answer. – yeah_well May 05 '19 at 17:22
  • I've already searched on google and I've only found tecniques that edit the registry or require administrator access. – ddev May 05 '19 at 17:39
  • @Deci: If the malware is running with the same permissions as the user it only install it in places where the user can remove it again. What makes you think that malware would be able to hide itself totally so that no user could detect it even if he knows how it hid itself? – Steffen Ullrich May 05 '19 at 18:03
  • Autostart, maybe? Does modern Windows still have that? – forest May 06 '19 at 02:49

1 Answers1

3

How are malware able to start on boot on windows without administrator rights?

  1. Find a Service which runs an executable which a user can overwrite (Hint: Installed software that has its own updater usually fits the bill.)

  2. bitsadmin (see this example) can run on schedule or on event, and call a handler program, specified by a user.

if a malware doesn't have administrative rights? How can it defend against a user that removes its registry key?

Of course, either of these can be undone by a user just as they can be done by a user, but they're subtler than Run keys and more likely to avoid notice.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 2
    And of course the ever-popular "Use multiple trigger methods to launch multiple processes, which monitor and protect each other and each others' triggers". "Can be undone by a user" is not trivial to remove if the malware redoes it in under 10 milliseconds. – Ben Voigt May 06 '19 at 03:16