There are two types of malicious code that are executed immediately to execute the purpose of the system, monitoring the system while hiding it for a long time, or performing additional infiltration to another system. In the former case, it is possible to delete traces using a method such as self-deletion after execution, but in the latter case, the system should be hidden as much as possible until the objective is achieved.
Malware in Windows OS
Malware targeted to a specific organization is difficult to detect using an organization’s security system because it uses pre-scanned information or infects malware optimized by the downloader. However, even if the vulnerability infiltrates the internal network, it is necessary to attack again in order to achieve additional purposes (such as personal information capture, confidential deception, malicious code distribution, etc.). These secondary attacks can take at least one to two weeks to several months, depending on the organization’s internal security policies and organizational networking. As a result, the malicious code that is optimized also becomes more likely to be detected over time.
The most common way to hide malicious code from an attacker is to use a folder that is not frequently used by users, such as rootkit techniques, slack areas, attribute changes, and file name changes. Folders that are not used by the user are not subject to real-time detection of AV, so there is less risk of detection unless a close inspection is performed. Of course, the optimized malware is hard to detect even if you perform a close inspection.
Here are the paths where malicious code is frequently located. The path needs to be examined first when judging the presence of malicious code. Some paths need to be added to the monitoring item because the presence of the file can determine whether or not the malicious code exists.
Malware Indication of Compromise
# System Folder
The System Folder is where the main system files of the Windows are located. To hide them, change the system file and file name similarly or change the path. Frequently used paths are as follows.
% SystemRoot% \
% SystemRoot% \ system \
% SystemRoot% \ system32 \
% SystemRoot% \ system32 \
% SystemRoot% \ system32 \ dllcache
% SystemRoot% \ system32 \ drivers
% SystemRoot% \ SysWOW64 \
% SystemRoot% \ SysWOW64 \ dllcache
% SystemRoot% \ SysWOW64 \ drivers
SysWOW64 is a folder that exists only on a 64-bit system and exists for compatibility with 32-bit. If the 64-bit system files are located in the “% SystemRoot% \ system32 \” folder, “% SystemRoot% \ SysWOW64 \” will contain the 32-bit system files. Therefore, in a 64-bit system, it is necessary to examine all two folders.
# User default folders
Since Windows Vista, the user’s home folder is under “% SystemDrive% \ Users \”. Looking at the subfolder of the folder, there are basic folders “Public” and “Default” in addition to the user’s home folder. In the “Public” folder, files (common pictures, videos, etc.) common to each user are stored. In the “Default” folder, files for initial configuration are stored when a new user is created. These folders are usually not directly entered, so an attacker is often subject to hiding. Also, if you place malicious code in “Default”, it is automatically copied every time a new user is created.
% SystemDrive% \ Users \ Public \ (% Public%)
% SystemDrive% \ Users \ Default \
# User data folder
Since the data folder in which each user’s application data is stored is a hidden folder, it only appears when the folder attribute is changed. Data folders are also not commonly used, so the path is often used to hide malicious code.
% UserProfile% \ AppData \
% UserProfile% \ AppData \ Local \ (% LocalAppData%)
% UserProfile% \ AppData \ LocalLow \
% UserProfile% \ AppData \ Roaming \ (% AppData%)
% SystemDrive% \ ProgramData \ (% AllUsersProfile%)
# Trash folder
The trash folder in Windows is protected by the operating system, so you only need to change folder properties. Under the Trash folder, each user’s SID folder appears, but each deleted file is located in the SID folder. The contents of the Recycle Bin on the desktop are the contents of the SID folder of the login user. Malicious code frequently hides the same level as the Recycle Bin sub-SID folder.
% SystemDrive% \ $ Recycle.Bin \
# System Volume Information Folder
The system volume information folder where system restore points or volume shadow copies are stored is protected by the operating system. If you change the folder property, you can check the existence of the folder, but you can not check the contents of the folder. To check the contents of a folder, you need to change the access permissions of the folder. Thus, malicious code can be safely concealed for a long period of time, and some security solutions are often used by malicious code because they can not diagnose the subordinate folder for this reason.
% SystemDrive% \ System Volume Information \
# Temporary folder
The temporary folder is a temporary path used by malicious code to be automatically injected into the system or dropped by the dropper, rather than by an attacker.
% UserProfile% \ AppData \ Local \ Temp (% Temp%)
% SystemRoot% \ Temp \
% LocalAppData% \ Microsoft \ Windows \ Temporary Internet Files \
# Web browser download path
The default download path of the web browser, the path of the ActiveX, and the Java applet are also likely to be down by malicious code using a web browser.
% UserProfile% \ Downloads
% UserProfile% \ AppData \ LocalLow \ Sun \ Java \ Deployment \ cache \ 6.0 \
% SystemRoot \ Downloaded Program Files (Active X)
# Known Folders
There are folders that are common to all users because we use a standard PC with a common specification for each organization. These folders are often used to attack specific organizations.
% SystemDrive% \ Intel
% SystemDrive% \ HNC
% SystemDrive% \ JungUmData
# Other folders
In addition to the folders mentioned above, malicious code is often located in the following path.
% AppData% \ Microsoft \ Windows \ Start Menu \ Programs \ Startup
% SystemDrive% \ Program Files \ Common Files \ (% CommonProgramFiles%)
% SystemDrive% \ Program Files (x86) \ Common Files \ (% CommonProgramFiles (x86)%)
An attacker can change the location of malicious code at any time. Therefore, the above-mentioned route needs to be used as a reference index rather than an absolute index. When an infection system is analyzed within an organization, if the malicious code uses a specific folder for concealment, it can be used as an infringing indicator to find an additional infection system.