MASTER Assignment
Dynamic Detection and Classification of Persistence Techniques in Malware
Type : Master M-CS
Period: Nov, 2022 - May, 2023
Student : Nielen, J.J. van (Jorik, Student )
Date Final project: May 26, 2023
Supervisors:
Abstract:
One of the main methods for malware to accomplish its goals is staying active on the infected machine for as long as possible. Persistence techniques are used by malware to survive reboots, user switches, and other low-level events that are out of the control of the malware itself. While persistence is well known to be one of the main tactics deployed by malware, a comprehensive taxonomy of persistence techniques used by Windows malware is missing. In this paper, we provide a taxonomy of 70 distinct techniques, identify their properties, and categorize them accordingly. Additionally, we introduce a set of models to describe and detect each of the techniques. Finally, we implement a dynamic persistence detection system and analyze the adoption of persistence techniques in 5,000 real-world malware samples. We show that 16~\% of the analyzed samples utilize one or multiple persistence techniques. Furthermore, we show that malware generally uses well-documented techniques, but a smaller selection of samples also chooses for more exotic approaches.