Sunday, March 09, 2008

what is non-persistence?

non-persistence in malware is a property whereby the malware doesn't get written to a persistent storage medium like the hard disk but instead resides only in RAM...

the primary advantage of this technique is that on-access scanners won't scan it because the condition that triggers on-access scanning is never met, and application whitelisting won't stop it because a non-persistent program requires exotic execution by definition...

a lesser appreciated benefit is that it circumvents outside-the-box analysis because the contents of RAM are supposed to be lost when the computer shuts down... recent developments suggest this benefit might not actually exist, however...

non-persistence can even have some advantages against behaviour blockers under certain circumstances (ex. if the malware injects itself into a process that is already authorized to perform all the behaviours the malware needs to perform then the behaviour blocker won't necessarily raise an alarm (unless it can detect the injection itself)...

on-demand scanning of RAM should be able to identify known non-persistent malware so long as it doesn't use stealth or any other countermeasures, however... further, since the network is nearly the only point of entry for completely non-persistent malware, scanning at the LSP level has a good chance of catching any known exploits it might use to get into the system in the first place...

back to index

0 comments: