In previous posts we talked about how a malware package/code gets into a system, this post will explain how it takes control and gains privileges to expand its capabilities.

Nearly all malware in the wild today will first start by copying its control software in various locations on the target system. Normally these locations have no restrictions for the user who has executed it by mistake or who’s identity has been assumed by the malware through injecting it into their running programs. Examples of these are internet history/temp folders, application data folders (on Windows 7), and personal folders like documents/downloads. These are just stepping-stone locations for the next step.

After the malware has placed its parts where it can, each of them are executed in the background (behind the scenes) by vulnerable applications on the system that have the necessary access to take further control of the system. Examples of such vulnerable software is adobe acrobat/air, internet explorer, java, etc… These legitimate programs need access to restricted areas of the computer to function and the control components leverage this access to push their privileges and permissions to a higher level, most of the time to an administrator role level of access but sometimes depending on the malware and the pivot application that is leveraged the malware can gain kernel level access (highest level of the operating system).

These control parts are actually individually crafted exploiting malware, micro-malware if you will, that do the intermediate task of gaining enough access to get to the next stage, Persistence.