Malware Footprints and Persistence
Once on a system, malware will generally leave a footprint, or some evidence to indicate its presence. When the malware is installed, files are created on the system. New directories may also be created. Registry keys may be added, or a value may be added to an existing Registry key. For the malware to be active and effective, it must exist at some point as a running process, even if for a short time. Finally, many forms of malware will open ports on the system. Network backdoors and Trojans will generally open ports in LISTENING mode in order to allow an attacker to connect to them and take control of the victim system. IRC bots, on the other hand, will open a client port in order to connect to an IRC server ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
