While looking through RSA's Blueprint report, I noticed that it advises security teams to look through user profile...
directories for what they call "atypical location" installs. What do they mean by atypical locations, and why are malware authors presumably taking advantage of user profile directories for their malicious activities?
Ask the expert
Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
A common approach for unsophisticated malware authors is to take advantage of techniques used by more sophisticated hacks and incorporate them into their own attacks. Atypical location installs have been leveraged by sophisticated attackers since at least 1995. The technique of creating a directory no one knows about or can find has proven itself quite useful for slowing enterprise incident detection and response.
Over time, atypical location installs have changed from using special characters in directory names, slack space or being stored in alternate data streams (ADS) on NT File Systems (NTFS) to hiding in plain sight in the user's profile directory. Since unexpected data in slack space and alternative data steams cannot be found by just scanning the file system of a compromised computer, both the slack space and ADS must be examined forensically for "hiding" data.
The fact that 67% of the cyberattacks sampled in RSA's Blueprint report are using atypical location installs in the user's profile directory could be attributed to the privilege level of the user logged in at the time of malware installation. Since logged in users (if not an administrator) can only write to their profile, malware authors have much more flexibility when deciding where to store their files -- they can just use the default environment variable on Windows of %userprofile%. If malware just created a new top-level directory on the root file system, such as C:\malwarehere, it would be very obvious and call attention to itself. However, a directory named "Adobe" in the user's profile directory with legitimate-looking file names helps hide malware in plain sight.
Detecting malware hiding in plain sight requires checking all files on a file system and examining a system for uncommon access to a storage system such as slack space or ADS on NTFS file systems. Be sure to keep an eye out for new partitions being created on a storage system -- this might also be a sign of malware trying to hide in plain sight.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.