Now that the malware has taken root of the system, has its own processes running and has gained enough privileges to operate as it was designed the next stage is to prevent its removal.

This stage and the next (Obfuscation) is critical to the longevity of the malware. If this stage isn’t well thought out or is poorly designed (or nonexistent), then the malware will likely be caught and removed quickly.

There are several techniques employed to gain persistence on the system, we will outline a few below as examples of what we have seen.

• Installing services, tasks or startup processes to ensure the malware is always ran after a reboot/shutdown of the system.
• Infecting operating system resources so the malware will start when the operating system starts.
• Manipulating the bootup process (master boot record, loader, etc…) to execute the malware prior to other programs (i.e. antivirus, firewalls, etc…).
• Manipulating antivirus, firewall, internet security settings and other protection mechanisms to blind them to the malware or to disable them entirely.

Once the malware has made its changes it moves on to the next step, Obfuscation.