While looking through RSA's Blueprint report, I noticed that it advises security teams to look through user profile...
directories for what they call "atypical location" installs. What do they mean by atypical locations, and why are malware authors presumably taking advantage of user profile directories for their malicious activities?
Ask the expert
Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
A common approach for unsophisticated malware authors is to take advantage of techniques used by more sophisticated hacks and incorporate them into their own attacks. Atypical location installs have been leveraged by sophisticated attackers since at least 1995. The technique of creating a directory no one knows about or can find has proven itself quite useful for slowing enterprise incident detection and response.
Over time, atypical location installs have changed from using special characters in directory names, slack space or being stored in alternate data streams (ADS) on NT File Systems (NTFS) to hiding in plain sight in the user's profile directory. Since unexpected data in slack space and alternative data steams cannot be found by just scanning the file system of a compromised computer, both the slack space and ADS must be examined forensically for "hiding" data.
The fact that 67% of the cyberattacks sampled in RSA's Blueprint report are using atypical location installs in the user's profile directory could be attributed to the privilege level of the user logged in at the time of malware installation. Since logged in users (if not an administrator) can only write to their profile, malware authors have much more flexibility when deciding where to store their files -- they can just use the default environment variable on Windows of %userprofile%. If malware just created a new top-level directory on the root file system, such as C:\malwarehere, it would be very obvious and call attention to itself. However, a directory named "Adobe" in the user's profile directory with legitimate-looking file names helps hide malware in plain sight.
Detecting malware hiding in plain sight requires checking all files on a file system and examining a system for uncommon access to a storage system such as slack space or ADS on NTFS file systems. Be sure to keep an eye out for new partitions being created on a storage system -- this might also be a sign of malware trying to hide in plain sight.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.