Get started Bring yourself up to speed with our introductory content.

Malware detection in the user profile directory

Looking for malware on an infected machine? Start in the user profile directory. Expert Nick Lewis explains how.

While looking through RSA's Blueprint report, I noticed that it advises security teams to look through user profile directories for what they call "atypical location" installs. What do they mean by atypical locations, and why are malware authors presumably taking advantage of user profile directories for their malicious activities?

Ask the expert

Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

A common approach for unsophisticated malware authors is to take advantage of techniques used by more sophisticated hacks and incorporate them into their own attacks. Atypical location installs have been leveraged by sophisticated attackers since at least 1995. The technique of creating a directory no one knows about or can find has proven itself quite useful for slowing enterprise incident detection and response.

Over time, atypical location installs have changed from using special characters in directory names, slack space or being stored in alternate data streams (ADS) on NT File Systems (NTFS) to hiding in plain sight in the user's profile directory. Since unexpected data in slack space and alternative data steams cannot be found by just scanning the file system of a compromised computer, both the slack space and ADS must be examined forensically for "hiding" data.

The fact that 67% of the cyberattacks sampled in RSA's Blueprint report are using atypical location installs in the user's profile directory could be attributed to the privilege level of the user logged in at the time of malware installation. Since logged in users (if not an administrator) can only write to their profile, malware authors have much more flexibility when deciding where to store their files -- they can just use the default environment variable on Windows of %userprofile%. If malware just created a new top-level directory on the root file system, such as C:\malwarehere, it would be very obvious and call attention to itself. However, a directory named "Adobe" in the user's profile directory with legitimate-looking file names helps hide malware in plain sight.

Detecting malware hiding in plain sight requires checking all files on a file system and examining a system for uncommon access to a storage system such as slack space or ADS on NTFS file systems. Be sure to keep an eye out for new partitions being created on a storage system -- this might also be a sign of malware trying to hide in plain sight.

This was last published in March 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Officer are on LinkedIn
If malware just created a new top-level directory on the root file system such as C:\malwarehere, it would be very obvious and call attention to itself