Think you’ve completely removed all traces of that malware that infected one of your organization’s computers? Maybe not. Many types of malicious software leave behind small but important configuration changes that will allow them to infect the machine all over again in the future, and these can be very hard to detect. This series of articles over on the SANS Internet Storm Center (ISC) site shows how several of those misconfigurations work.
Four parts have been published:
https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+-+Part+2/15406
https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+3/15448
https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+4/15460