Tuesday, September 22, 2020

Monday, September 21, 2020

Mount Moon is an interesting place. Located in northern Kanto, it's notable not only for its wealth of Pokémon Fossils, but also its extraordinary rate of meteorites per year. I spoke with Gym Leader Brock about it before leaving Pewter City and learned that it was somewhat a rite of passage for Pokémon trainers heading out from western Kanto to the eastern plains. There were certainly easier ways to get to Cerulean City and Saffron City, but Brock assured me that if I was serious about Pokémon training, Mount Moon was the best way to go.
Mount Moon is an arduous climb and littered with numerous interlocking caves that weave beneath the peak. It was not for the faint of heart, but it would be a chance to bond with my Pokémon in the wilderness. I used some of the winnings I earned at Brock's gym to stock up on food, potions, and a handful of Pokéballs before setting out down Route 3 toward the famous landmark mountain.
Along Route 3, I battled a very enthusiastic Shorts Appreciation Fan Club. Delightful young trainers eager to challenge Brock and head off on their own through Mount Moon, but mainly obsessed with shorts. It was along this route and among these youngsters that I first heard the name Team Rocket whispered. According to these young campers and hikers, Team Rocket had set up an operation of sorts at Mount Moon and their presence there was deterring a lot of trainers from passing through.
Back then, Team Rocket was an organization to be feared. They had a lot of influence over everyday life in Kanto, and very few people had the courage to stand up to them. However, as a newcomer to the Kanto region, I was truly clueless at the time. I could see that the kids were unsettled by the thought of Rocket grunts lurking in the caves of Mount Moon, but I was incapable of understanding what this threat meant to them, or what it would come to mean to me. I pressed onward down Route 3 hoping to reach the base camp and Pokémon Center at the foot of Mount Moon before nightfall.
Along the way, I managed to catch a Spearow who I gladly added to the team. I named him Shakespear. Shakespear would come to serve me well inside the dark tunnels of Mount Moon. He needed some training before we entered, so I set to work using the base camp as our new base of operations. Shakespear proved to be a formidable bird and was not unlike Kiwi in his ability to grow quickly adept at fighting and training.
While we were training in the shadow of Mount Moon, Lucky developed a powerful psychic attack that had the potential to inflict confusion upon his opponents, and I noticed Nibbles able to inject a bit of poison from the tip of his horn with some regularity. I was certainly impressed in the team's progress. It was time to start our trek through the underbelly of Mount Moon.

The Zubat was one of the easier Pokémon to sketch,
due largely in part to their huge colony within Mt. Moon.

They don't write this on any of the brochures that I saw, but Mount Moon is absolutely infested with Zubat. You can't go three feet without being assailed by another Zubat, and so naturally the next great addition to Team Fox was a Zubat named Vesper. As I'm sure you can imagine, if you are at all familiar with Zubat, Vesper was a bit of a nightmare to train. That might actually be an understatement.
As we methodically made our way through Mount Moon, I was determined to get Vesper up to par with my other traveling companions. He would often open up a battle with other Zubat, or with the occasional trainer we found along those winding paths, only to be replaced with Shakespear who was an absolute terror in those tunnels.
Shakespear earned his place on my team as the number one Zubat deterrent on Mount Moon. He could out-perform them at every turn, pecking them out of the sky and sending a message that we were not to be trifled with by other Zubat. Those other Zubat did not get that message, however, and continued to plague us the entire time.
Among the outer caves of Mount Moon, I ran into a wide variety of trainers. As Brock had mentioned, it truly did seem as a thoroughfare for aspiring trainers to test their resolve against both the forces of nature and each other. In this particular case, Mount Moon served to test young trainers against a never ending onslaught of territorial Zubat. There were young boys and girls, among them a bug catching kid who wandered too far from Viridian Forest, I presume. I passed and challenged the occasional hiker and a science enthusiast. None posed much of a problem for my team and the pain of losing Rascal felt like it was passing somewhat.

In the heart of Mount Moon, I finally encountered members of Team Rocket. As I approached in the darkness, I heard them talking. Another young trainer had passed through quite recently and dealt them a severe Pokémon beating that still had them upset. Instead of keeping him out of their operation, he had apparently just blown straight through them and their Pokémon without hesitation. When they saw me lurking in the darkness, eavesdropping on their conversation, well they decided to take out their frustrations on me.
Although most of them were weakened by this previous trainer to a point where they couldn't even muster a Pokémon to participate, there was one trainer in that dark tunnel I will never forget. He was the champion of their little operation under Mount Moon, and he would make me pay for wandering where I wasn't wanted. He only had one Pokémon to face my five, but it was enough. I was lucky he didn't have any more.

This Rocket Grunt had an absurdly powerful Raticate, an evolution of my previous Pokémon, Rascal. I knew I had to be careful and so I threw out Lucky to face him. Lucky had recently learned to harness particles on its wings into powerful toxins, and so I had Lucky blow a debilitating sleep powder onto the Dread Rocket Raticate as I would come to call it. As expected, the Raticate dozed off gently and opened itself up to tormenting psychic attacks from Lucky.
What I did not expect was its incredible resilience to Lucky's powerful psychic ability. This ability had taken down numerous thick skinned Geodude along the tunnels of Mount Moon, but the Raticate was formidable. I could tell it was almost defeated, but just as Lucky was going to incapacitate it, Dread Rocket Raticate woke up. It quickly evaded the next attempt to spread a sleep powder. Then it bit down and it bit down hard on Lucky. It was a blow so devastating that Lucky was indeed lucky to not pass out from the strain. I had to switch.
I took a moment to collect myself with all the other Rocket grunts gathered around to cheer on their formidable leader and his terrible Raticate. I knew his Raticate was on the verge of defeat. It would only take one more solid hit to knock it out of the fight and claim a victory. Vesper was still useless. Kiwi and Shakespear were valid candidates, because of their speed and agility. But of all my Pokémon, Nibbles had the most solid defense with his very thick hide, so I felt if any of them were going to survive that devastating hyper fang it would be Nibbles.

Sadly, I was wrong. Nibbles came out of his Pokéball twitching his long ears and ready to face any challenge. Nibbles didn't even have the chance to see what hit him. That damned Raticate bit down on Nibbles head so hard that he was done in seconds. There was no time for Nibbles to react. His fight was over before it had even begun. I let out a loud wail that echoed through the caverns beneath Mount Moon, but that exclamation of shock and disbelief was drowned out by the numerous members of Team Rocket whooping and hollering at their leader's small victory.
It would be short lived. Kiwi came out and could sense my distress. He launched a brutal quick attack on the Dread Rocket Raticate and ended the fight in a single decisive blow. Team Rocket was not amused, but they were out of Pokémon and wouldn't dare lay a hand on me with my trained Pokémon at my side ready to defend me.
I carefully excused myself from whatever nefarious plot they were hatching in that large cavern. They allowed me to pass on my way without any more provocation. They probably said a bunch of intimidating junk that those gangster types like to say, but honestly my heart was sunken deep into the ground. I wouldn't have heard anything they said. Although probably meaningless to them, I had failed Nibbles and now we would part ways forever.
Speaking honestly, I had high hopes for Nibbles. He was so small and weak when we met, but he had the heart of a champion. I thought Nibbles would be with me on Victory Road, facing down the Elite Four and the Indigo Champion. I thought we would take on the world together, but these foul Team Rocket hooligans put an abrupt end to that fantasy.
I nursed Nibbles back to good health in some quiet corner of Mount Moon and spent our last remaining moments together just appreciating the company. Much like with Rascal, I tried to explain to Nibbles why it was important to me that he lived out the rest of his life here on Mount Moon (and I could truly think of no better place for him) and why I would have to press on without him. I shed a few tears and gave Nibbles a careful hug, avoiding his poisonous horn. He seemed to understand and with a final look at me, he scampered off into the darkness.
I soldiered on for Rascal and Nibbles. I pressed on to Cerulean.

Current Team:
Attacks in Blue are recently learned.

Saturday, September 12, 2020

People Behind The Meeples - Episode 235: Aaron McDonell Moline

Welcome to People Behind the Meeples, a series of interviews with indie game designers. Here you'll find out more than you ever wanted to know about the people who make the best games that you may or may not have heard of before. If you'd like to be featured, head over to http://gjjgames.blogspot.com/p/game-designer-interview-questionnaire.html and fill out the questionnaire! You can find all the interviews here: People Behind the Meeples. Support me on Patreon!

Name:	Aaron McDonell Moline
Email:	aaron@bardsharkcom
Location:	New York City
Day Job:	I am a journalist by profession, but I've been working on Antematter full time for the past many months.
Designing:	Three years.
Webpage:	bardshark.com
BGG:	Antematter
Facebook:	BardShark
Twitter:	@BardSharkGames
YouTube:	Bardshark
Instagram:	@bardshark
Find my games at:	On Kickstarter this August!

Today's Interview is with:

Aaron McDonell Moline
Interviewed on: 7/18/2020

In 2017, Aaron McDonell Moline founded BardShark Games with his friends and family with the goal of designing and publishing exciting, new games. His first design, Antematter, will be on Kickstarter next month. Read on to learn more about Aaron and his current projects.

Some Basics
Tell me a bit about yourself.

How long have you been designing tabletop games?
Two to five years.

Why did you start designing tabletop games?
Because I love games, and because I think that working on what you love is the best kind of life.

What game or games are you currently working on?
Antematter, and some preproduction stuff I'm not gonna get into just yet.

Have you designed any games that have been published?
Not yet!

What is your day job?
I am a journalist by profession, but I've been working on Antematter full time for the past many months.

Your Gaming Tastes
My readers would like to know more about you as a gamer.

Where do you prefer to play games?
In my home.

Who do you normally game with?
My wife, my friends, my brother. Basically all the people I work with at BardShark.

If you were to invite a few friends together for game night tonight, what games would you play?
Something fun and not too rules heavy, like Codenames.

And what snacks would you eat?
New York has the best delivery in the world, so we tend to vary our team meals.

Do you like to have music playing while you play games? If so, what kind?
Depends on the game. For Antematter, some Jazz might be what I'm looking for.

What's your favorite FLGS?
Hex and Company

What is your current favorite game? Least favorite that you still enjoy? Worst game you ever played?
It's a hard one. I love Boss Monster. I wanted to love Scythe and I've enjoyed playing it, but it's not for me. I've played a LOT of very bad games over the years. Have you ever heard of Floating Runner?

What is your favorite game mechanic? How about your least favorite?
I dig games whose narrative and mechanics are blended together to form a whole better than the sum of its parts. My least favorite things are just bummers like durability or inventory systems that take you from playing something fun to managing something clunky and boring.

What's your favorite game that you just can't ever seem to get to the table?
Man, what I wouldn't give just to have my friends over for a regular old game of Poker.

What styles of games do you play?
I like to play Board Games, Card Games, RPG Games, Video Games

Do you design different styles of games than what you play?
I like to design Board Games, RPG Games, Video Games

OK, here's a pretty polarizing game. Do you like and play Cards Against Humanity?
I like cards and humanity.

You as a Designer
OK, now the bit that sets you apart from the typical gamer. Let's find out about you as a game designer.

When you design games, do you come up with a theme first and build the mechanics around that? Or do you come up with mechanics and then add a theme? Or something else?
I think that development is an iterative process that should intertwine story and themes with the gameplay. In our case, the theme and world our games take place in was devised over the course of years, but the mechanics of the game were built on their own and have shaped and been shaped by the theme we've chosen.

Have you ever entered or won a game design competition?
Nope.

Do you have a current favorite game designer or idol?
I think what Jamey Stegmaier is doing over at Stonemaier Games is pretty awesome.

Where or when or how do you get your inspiration or come up with your best ideas?
I think the best ways to get inspiration are to immerse yourself in games, talk about games, and collaborate.

How do you go about playtesting your games?
First we do a whole mess of internal playtesting. Then we bring in trusted friends and family who like to play games. Then we playtest it ourselves some more. Then we take it to conventions where enthusiasts can get their hands on it and provide feedback. Then we go back and playtest it some more, and repeat the process. So far it's worked out for us.

Do you like to work alone or as part of a team? Co-designers, artists, etc.?
I have the best team behind me. Artists, mechanics, problem solvers, all friends and family.

What do you feel is your biggest challenge as a game designer?
Coming from out of nowhere and trying to get people as excited as we are about this new game we've been working on.

If you could design a game within any IP, what would it be?
Our IP. The Engine Star Universe. Although if you twisted my arm to mention an outside IP, I'd have to confess that I would love to do something in fantasy, like A Song of Ice and Fire or Lord of the Rings.

What do you wish someone had told you a long time ago about designing games?
That I'd love it this much, and to start earlier.

What advice would you like to share about designing games?
Work with people you trust, and learn how to juggle.

Would you like to tell my readers what games you're working on and how far along they are?
I'm planning to crowdfund: Antematter

Are you a member of any Facebook or other design groups? (Game Maker's Lab, Card and Board Game Developers Guild, etc.)
Board Game Reviewers and Media Tabletop Game Kickstarter Advice The Boardgame Group

And the oddly personal, but harmless stuff…
OK, enough of the game stuff, let's find out what really makes you tick! These are the questions that I'm sure are on everyone's minds!

Star Trek or Star Wars? Coke or Pepsi? VHS or Betamax?
Wars/Coke/VHS

What hobbies do you have besides tabletop games?
Video games, for sure. I'm a voracious reader of nonfiction and history. I also love a bad/good B-Movie.

What is something you learned in the last week?
I learned that getting the first prototypes for your very first game feels pretty freaking awesome.

Favorite type of music? Books? Movies?
My music taste is pretty broad. Books I tend to read mostly nonfiction but I do read science fiction and fantasy. Lord of the Rings, Dune, A Song of Ice and Fire, classic Asimov.

What was the last book you read?
Gods of War, a look at various military rivalries throughout history from Scipio vs Hannibal to Patton and Montgomery vs Rommel.

Do you play any musical instruments?
I am pitiful at guitar.

Tell us something about yourself that you think might surprise people.
I don't eat cheese. Except on pizza. (I am so sorry).

Tell us about something crazy that you once did.
Right after college I moved to Prague, a city I had never been to and where I knew absolutely no one.

Biggest accident that turned out awesome?
I met my wife entirely by accident in college. My friends and I had the last open room on campus and she became our fourth roommate.

Who is your idol?
I tend not to idolize. But probably an artist who is unapologetically themselves creatively, like Tarantino or Paul Tomas Anderson, or Wes Anderson. What is it with Andersons?

What would you do if you had a time machine?
I would go back in time and convince myself to start making games much earlier.

Are you an extrovert or introvert?
Introvert by temperament, extrovert by necessity.

If you could be any superhero, which one would you be?
When I was a kid and we played superheroes, I would invariably pick Wolverine.

Have any pets?
Not yet, but hopefully a dog soon.

When the next asteroid hits Earth, causing the Yellowstone caldera to explode, California to fall into the ocean, the sea levels to rise, and the next ice age to set in, what current games or other pastimes do you think (or hope) will survive into the next era of human civilization? What do you hope is underneath that asteroid to be wiped out of the human consciousness forever?
Hopefully some of mine! I think that there are games out there that absolutely will pass the test of time, and I think lots of the most popular ones now will recede into the background. I'm at pains to try to wish oblivion on anyone's creative work, but I must confess that I think some of the lazier installments of certain long and tired games series could stand to be culled.

If you'd like to send a shout out to anyone, anyone at all, here's your chance (I can't guarantee they'll read this though):
To our fans and the friendly people who helped us test our game and gave us such fantastic feedback, I'd just have to extend a sincere thank you.

Just a Bit More
Thanks for answering all my crazy questions! Is there anything else you'd like to tell my readers?

Just to feel free to reach out to learn more about us or our game.

Thank you for reading this People Behind the Meeples indie game designer interview! You can find all the interviews here: People Behind the Meeples and if you'd like to be featured yourself, you can fill out the questionnaire here: http://gjjgames.blogspot.com/p/game-designer-interview-questionnaire.html

Did you like this interview? Please show your support: Support me on Patreon! Or click the heart at Board Game Links

, like GJJ Games on Facebook

, or follow on Twitter

. And be sure to check out my games on Tabletop Generation.

Falcons, Spears And Revenants, Oh My

I finished the first of the six Falcon turrets last Friday right before NEAT. The next six are going to be magnetised so I can swap them out for Fire Prism turrets (haven't started on those yet though).

I also did some conversion work earlier this week on my Revenants. I did some leg swaps to add some pose variety and magnetized the weapons. I have some Vibrocannon arm conversions to work on and a bit of puttying to do before these see paint.

Finally, I finished up the lances and gems on the Shining Spears last night, and put on their decals as well. They'll need a bit of touch up and bases edges before they get top coated.

Friday, September 4, 2020

Space Tourists

Space Park is the type of game that tends to appeal to me right away: great looking illustration and graphic design, at a low enough price point that I can afford to take a chance and buy the game on impulse. These impulse purchases can be a mixed bag, sometimes resulting in great looking games whose novelty wears off quickly (Grimslingers), or games that sounded more interesting than they actually are (Deadline), but every once in a while we end up with an entertaining game that, while simple, bears out repeated plays and earns a place in our collection.

First let's talk about the artwork. The game board is made up of a series of large tiles, each intended to look like a tourism advertisement for a location in outer space. The illustrations are gorgeous: any one of them would look great at poster size, framed on a wall somewhere. The rest of the game's printed components use snippets from these pieces of artwork along with some considered and sophisticated typography and graphic design.

Okay, so the game is pretty, but is it any fun to play? Yes it is. Space Park is an interesting marriage of familiar game mechanics with a few unusual ideas. At its core it's a resource collection game: players move around on a board made up of the aforementioned tiles, each representing a location where various different resources can be picked up, exchanged, or spent in various combinations to purchase victory points and game advantages.

What sets the game apart is the way players move around the board. Regardless of the number of players, there are three silver rocket ships, each starting at a different location. On a player's turn, they perform the action at a location where there is a ship (usually collecting a resource), then move that ship to the next empty location. This is interesting for several reasons, the most obvious being that each player doesn't have their own playing piece, they always have a choice of three pieces to move. More strategically, it means that every time a player takes their turn, they need to think about where the piece will be moving and what advantage they're giving the next player by moving it there.

It's one of those rare games with simple rules but a lot to think about that's great for when you want a lighter game with a reasonable amount of strategic depth. And it's very pretty to look at.

Rating: 4 (out of 5) Not necessarily an immersive "play all day" type game, but excellent for what it is: lightweight and fun.

Space Park official website
Space Park on Boardgamegeek

Sunday, August 30, 2020

Many Ways Of Malware Persistence (That You Were Always Afraid To Ask)

TL;DR: Are you into red teaming? Need persistence? This post is not that long, read it ;)

Are you into blue teaming? Have to find those pesky backdoors? This post is not that long, read it ;)

In the previous post, I listed different ways how a Windows domain/forest can be backdoored. In this new post, I am digging a bit deeper, and list the most common/known ways malware can survive a reboot, just using local resources of the infected Windows system. The list is far from complete, and I would like to encourage everyone to comment on new methods, not yet listed here.

From an incident response point of view, one of the best strategies to find malware on a suspicious system is to search for suspicious entries that start with the system. In the good old days, you had to check for 2-3 locations to cover 99% of the infections. Nowadays, there are a thousand ways malware can start. The common ones automatically start whenever Windows starts (or the user logs in), but some tricky ones are triggered by other events.

Autoruns

My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.

On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually, this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on a live system is that a good rootkit can fool the analyst easily.

For quick wins, I usually filter out Microsoft entries, look for per-user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps to find 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.

Zeus "hiding" in the usual random directory - check the faked timestamp

To implement "poor-mans monitoring", regularly save the output of Autoruns, and during incident response, it will be highly valuable. Howto guide here.

Logon

"This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations."

There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.

One of my favorite regarding this topic is the file-less Poweliks malware, 100% pure awesomeness. Typical ring 3 code execution.

Explorer

"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually, this is not about auto-malware execution, but some of them might be a good place to hide malware.

Internet explorer

"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicious BHO is installed into your browser, you are pretty much screwed.

Scheduled tasks

"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.

I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.

Did you know that you can create custom events that trigger on Windows event logs?

Did you know you can create malware persistence just by using Windows tools like bitsadmin and Scheduled tasks?

Scheduler in the old days

Scheduler in the new days

Services

HKLM\System\CurrentControlSet\Services is a very commonplace to hide malware, especially rootkits. Check all entries with special care.

Drivers

Same as services. Very commonplace for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates that can be chained back to "Software Publisher Certificates". Typical startup place for Ring 0 rootkits.

Starting from Windows 10, even this will change and all drivers have to be signed by "Windows Hardware Developer Center Dashboard portal" and EV certificates.

Codecs

22 registry keys. Not very common, but possible code execution.

Boot execute

"Native images (as opposed to Windows images) that run early during the boot process."

5 registry keys here. Good place to hide a rootkit here.

Image hijacks

"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.

This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to set a debug program on sethc.

If you see this, you are in trouble

AppInit

"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into Explorer, browsers, etc. Luckily it is going to be deprecated soon.

Known DLLs

"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.

Winlogon

"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.

Winsock providers

"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.

Print monitors

"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hiding their persistence module.

LSA providers

"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer.

Network providers

"Missing documentation". If you have a good 1 sentence documentation, please comment.

WMI filters

"Missing documentation". Check Mandiant for details.

Sidebar gadgets

Thank god MS disabled this a while ago :)

We all miss you, you crappy resource gobble nightmares

Common ways - not in autoruns

Now, let's see other possibilities to start your malware, which won't be listed in Sysinternals Autoruns.

Backdoor an executable/DLL

Just change the code of an executable which is either auto-starting or commonly started by the user. To avoid lame mistakes, disable the update of the file ... The backdoor factory is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the codesigner CA, and your executable will blend in.

See, rootkit.exe totally looks legit, and it is filtered out when someone filters for "Hide Windows entries".

Hijack DLL load order

Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from Mandiant and DLL hijack detector.

Here you can see how PlugX works in action, by dropping a legitimate Kaspersky executable, and hijacking the DLL calls with their DLL.

Hijack a shortcut from the desktop/start menu

Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.

IE hijacked to start with http://tinyurl.com/2fcpre6

File association hijack

Choose the user's favorite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!

COM object hijack

The main idea is that some COM objects are scanned for whether they are on the system or not, and when it is registered, it is automatically loaded. See COMpfun for details.

Windows Application Compatibility - SHIM

Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.

Every time IE starts, inject a DLL into IE

Bootkits

Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.

MBR - Master boot record

Malware can overwrite the Master boot record, start the boot process with its own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attached the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infections like this.

There is a slight difference when MBR is viewed from infected OS vs clean OS

VBR - Volume boot record

This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check GrayFish for details. SecureBoot can be used to prevent malware infections like this.

BIOS/UEFI malware

Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, implementation and design errors happens. Check the Computrace anti-theft rootkit for details.

Hypervisor - Ring -1 rootkit

This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot See Rutkowska's presentation from 2006 But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simply delete it after it is fully functional after reboot. Update: There is a good paper from Igor Korkin about hypervisor detection here.

SMM (System Management Mode) malware - Ring -2 rootkit

Somehow related to the previous type of attacks, but not many people know that System Management Mode can be used to inject code into the OS. Check the DEITYBOUNCE malware for more details ;) Also, abusing Intel Dual Monitor Mode (DMM) can lead to untrusted code execution, which basically monitors the SMM mode.

Intel® Active Management Technology - Ring -3 rootkit

According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possibly go wrong? See Alexander Tereshkin's and Rafal Wojtczuk's great research on this, or Vassilios Ververis thesis about AMT.

As not many people click on links, let me quote the scary stuff about AMT:

Independent of the main CPU
Can access host memory via DMA (with restrictions)
Dedicated link to NIC, and its filtering capabilities
Can force host OS to reboot at any time (and boot the system from the emulated CDROM)
Active even in S3 sleep!

Other stuff

Create new user, update existing user, hidden admins

Sometimes one does not even have to add malicious code to the system, as valid user credentials are more than enough. Either existing users can be used for this purpose, or new ones can be created. E.g. a good trick is to use the Support account with a 500 RID - see here, Metasploit tool here.

Esoteric firmware malware

Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see GrayFish again), graphic card, etc.

Hidden boot device

Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.

Network-level backdoor

Think about the following scenario: every time the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered GPO MiTM attack, the Evilgrade tool, or even the Xensploit tool when we are talking about VM migration.

Software vulnerability

Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...

Hardware malware, built into the chipset

I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!

adsense hpk