While looking through RSA's Blueprint report, I noticed that it advises security teams to look through user profile...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
directories for what they call "atypical location" installs. What do they mean by atypical locations, and why are malware authors presumably taking advantage of user profile directories for their malicious activities?
Ask the expert
Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
A common approach for unsophisticated malware authors is to take advantage of techniques used by more sophisticated hacks and incorporate them into their own attacks. Atypical location installs have been leveraged by sophisticated attackers since at least 1995. The technique of creating a directory no one knows about or can find has proven itself quite useful for slowing enterprise incident detection and response.
Over time, atypical location installs have changed from using special characters in directory names, slack space or being stored in alternate data streams (ADS) on NT File Systems (NTFS) to hiding in plain sight in the user's profile directory. Since unexpected data in slack space and alternative data steams cannot be found by just scanning the file system of a compromised computer, both the slack space and ADS must be examined forensically for "hiding" data.
The fact that 67% of the cyberattacks sampled in RSA's Blueprint report are using atypical location installs in the user's profile directory could be attributed to the privilege level of the user logged in at the time of malware installation. Since logged in users (if not an administrator) can only write to their profile, malware authors have much more flexibility when deciding where to store their files -- they can just use the default environment variable on Windows of %userprofile%. If malware just created a new top-level directory on the root file system, such as C:\malwarehere, it would be very obvious and call attention to itself. However, a directory named "Adobe" in the user's profile directory with legitimate-looking file names helps hide malware in plain sight.
Detecting malware hiding in plain sight requires checking all files on a file system and examining a system for uncommon access to a storage system such as slack space or ADS on NTFS file systems. Be sure to keep an eye out for new partitions being created on a storage system -- this might also be a sign of malware trying to hide in plain sight.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A revamped Poison Ivy RAT campaign has been using new evasion and distribution techniques. Expert Nick Lewis explains the new attack methods that ...continue reading
Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the ...continue reading
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.