A new method has been discovered that will allow malware to persist on an infected system even after rebooting. The method only works for Windows 10 and only for apps that were developed for the Universal Windows Platform. A researcher said, “the technique should work with any UWP apps, but it is only useful when used with UWP apps that Windows 10 runs automatically after boot-up–such as Cortana and the People app.” If the attacker targets other apps, the user will need to run that app manually for it to run the planted binary. The trick works right after an infection occurs by the malware adding a registry key which modifies the app’s boot-up settings. When the user reboots their machine, the new registry key will put the UWP app in debug mode and optionally run another app, which is a debugger to aid a developer or user see what the issue could be with the UWP app. It has been seen that the attacker could change the app to anything that they choose. This technique does not require admin privileges to add the registry key that it needs. All the attack needs to do is infect the user. Microsoft has been contacted about the issue, however since the method requires already having a foothold on a system, the report was not classified as a security issue. Some antivirus software might be able to detect this method or the original malware running on a system. However if not, then there could be a problem with the antivirus software.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is