While looking through RSA's Blueprint report, I noticed that it advises security teams to look through user profile...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
directories for what they call "atypical location" installs. What do they mean by atypical locations, and why are malware authors presumably taking advantage of user profile directories for their malicious activities?
Ask the expert
Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
A common approach for unsophisticated malware authors is to take advantage of techniques used by more sophisticated hacks and incorporate them into their own attacks. Atypical location installs have been leveraged by sophisticated attackers since at least 1995. The technique of creating a directory no one knows about or can find has proven itself quite useful for slowing enterprise incident detection and response.
Over time, atypical location installs have changed from using special characters in directory names, slack space or being stored in alternate data streams (ADS) on NT File Systems (NTFS) to hiding in plain sight in the user's profile directory. Since unexpected data in slack space and alternative data steams cannot be found by just scanning the file system of a compromised computer, both the slack space and ADS must be examined forensically for "hiding" data.
The fact that 67% of the cyberattacks sampled in RSA's Blueprint report are using atypical location installs in the user's profile directory could be attributed to the privilege level of the user logged in at the time of malware installation. Since logged in users (if not an administrator) can only write to their profile, malware authors have much more flexibility when deciding where to store their files -- they can just use the default environment variable on Windows of %userprofile%. If malware just created a new top-level directory on the root file system, such as C:\malwarehere, it would be very obvious and call attention to itself. However, a directory named "Adobe" in the user's profile directory with legitimate-looking file names helps hide malware in plain sight.
Detecting malware hiding in plain sight requires checking all files on a file system and examining a system for uncommon access to a storage system such as slack space or ADS on NTFS file systems. Be sure to keep an eye out for new partitions being created on a storage system -- this might also be a sign of malware trying to hide in plain sight.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.