Tag Archive | malware storage

Drop By @ AppData’s – Open Round the Clock

Malware authors work round the clock to serve up mouth-watering malware to an unsuspecting victim.

What we have on today’s menu is a small but effective tweak that malware authors incorporated into their “software” that makes %AppData% the prime real estate on your system’s hard drive for malware and their families.

The Application Data area of the current user, to be more specific. This is one location on your hard drive that stands exposed to multiple hits of various malware families.Hard drive

For starters let’s look at where this folder is found on your machine. In WinXP it’s at <root>\Documents and settings\%Current_User%\Application Data and<root>\Documents and settings\%Current_User%\Local Settings\Application Data. For Vista and Windows 7 it’s at<root>\Users\<username>\AppData\Roaming and <root>\Users\<username>\AppData\Local. (Please feel free to do a quick check in these areas on your computer to find out if you have something suspicious lurking…)

It wasn’t always this way. It was only recently that most of the file-copy actions moved from the Windows, System32, and Program Files directories to the %AppData% directory.

So, “Why move away from the system areas?”, you might ask. Well, that’s the main course. The basic answer could well be that relatively recent flavours of Windows, i.e. Vista and Windows 7, with their more strengthen security measures, have succeeded to a certain level, in forcing malware authors out of the system areas to the %AppData% areas.

System areas are now protected and require Administrator privileges to effect a modification.  So why worry about putting in extra code when it’s not needed, the malware authors might have thought. Malware families with a legacy, like ZBot, have moved out of the system directories. Yes, gone are the days of %System%\SDRA64.EXE%System%\NTOS.EXE etc. It’s now just random folders and random filenames in the AppData path. Rogue AVs that ‘Installed’ under proper program directories, viz. %Program Files%\Antivirus 2008\Antvrs.exe, have now become ‘xyz123.exe’s in %AppData%.

And, finally, for dessert. We would only say that the system directories haven’t been deserted entirely but have just been relegated to second choice. AppData is the new “system area” for malware authors. Note, under Windows XP you don’t require administrator privileges to copy any file into a system area and masquerade as a system file.


K7 Computing UK | K7 Computing IRL