Tags:

Hive knowledge about malware and strategy of redirecting user profiles to other partitions
October 27, 2009 2:22 PM   Subscribe

Hive knowledge about malware and strategy of redirecting user profiles to other partitions

For years I've used Ghost as a backup to anti-malware programs and uninstallers. If I suspect anything or if I install a program I don't want, I just reimage the C: drive with a known good Ghost image.

I redirected my My Documents and my FF profile to E:, so when C: was reimaged, my data was untouched. So, unless I download an infected file into My Docs, or somehow put an infected file onto my E: drive, the E: should stay clean. It it's been my understanding (maybe I'm wrong) that if I had (argh) opened an infected file that I had accidentally put onto my E:, all the damage/infection would be done to the system partition, leaving my E: untouched. (Of course I'd need to delete the malware installer file from E:)

So the only trouble is, after a reimage, there were always a few little things to be done to put things 100% back in working order. Settings like custom menus in apps, etc; the type of things that are stored in my C: drive user profile under Local Settings or Application Data. Inevitably, as I install more pgms or further tweak the ones I have, the number of little ToDo's after a reimage slowly increases. (I could, and have, made new Ghost images to include the new tweaks, but it gets tiresome)

I was thinking about redirecting my entire user profile folder to E:, so that reimaging C: would require less work. However, I don't want to do this if there is ANY chance a malware would infect/pollute my profile's files and folders. I don't want to invite problems onto my E: drive by way of my user profile folder. I want it to stay sparkling clean.

Do/can malwares infect user's profile files and folders? I want to make as sure as I can that my E: stays uninfected, and all infection would stay on C: and away from my cherished E: drive. ;)

Thank you.
posted by atm to computers & internet (23 answers total)
 
Putting files on other drives won't prevent infection. Also moving your profile to your E drive is probably worse, all your downloaded files are going to be sitting on that drive.

Instead of reimaging, you should use a tool like Altiris SVS so you can "try" software while being able to roll back any changes it's made to your system.
posted by wongcorgi at 2:42 PM on October 27, 2009


Thanks.

I know that putting files on another drive won't prevent infection. Of course infections could still happen. I said that above. My question is: would an infection sully my user profile folder?

btw, I prefer my method of "roll-back". The question of which is better has been debated for years. It's personal preference.
posted by atm at 3:02 PM on October 27, 2009


> "Do/can malwares infect user's profile files and folders?"

I'm unable to think of a time (in recent memory.. past 5 to 10 years) when malwares DIDN'T infect a users profile. I mean.. thats pretty much where it always infect.. isn't it?..

I clean about 5 to 10 malware/rootkit type infections a week.. and at a very minimum I'm almost always dealing with the following folders:

C:\Windows\System32
C:\Documents and Settings\ %profile-name% \Local Settings\Temp
C:\Documents and Settings\ %profile-name% \Local Settings\Temporary Internet Files

..and sometimes a few more on top of that... but the folders listed above are very common infection targets.
posted by jmnugent at 3:14 PM on October 27, 2009 [1 favorite]


I don't have much experience dealing with malware, but now that you say that, it rings a bell. Thanks.

I could redirect and put those folders on C:. What if I did that?
posted by atm at 3:25 PM on October 27, 2009


> "I could redirect......"

I guess it all really depends on how well (or not well) the hypothetical malware is coded.

By that I mean:... in order for your apps to work correctly, they (and the OS) have to be aware of any/all redirects you've configured. If hypothetical malware is smart enough to use those same environment variables/paths... then the malware is going to "know" where your redirects point. Unless I'm missing something.
posted by jmnugent at 3:34 PM on October 27, 2009


I see what you're saying, but I wasn't trying to hide the directories from the malware, I just want to keep my E: drive safe and unpolluted.

I think maybe I wasn't specific in my previous comment. I would redirect the Temp and Temporary Internet Files to reside outside my profile folder (which would be on E:) and back to C:, where if they get infected I can just reimage over them. I don't care if I overwrite the data in those.
posted by atm at 3:52 PM on October 27, 2009


Are there other files or folders in user profile folders that can/do get infected by malware?

Also, am I understanding, is my E: safe as I have thought?

Thanks.
posted by atm at 4:34 PM on October 27, 2009


Consider: Malware is going to infect your profile, even though the author of the malware has no idea what your username is. It does this because there is an environment variable set automatically by Windows that represents the location of your user profile. This is necessary for normal functioning. If you move your profile to another drive, this environment variable will point to the new location, and thus will lead malware to the correct folder, even though it's somewhere else.
posted by odinsdream at 4:39 PM on October 27, 2009


odinsdream, as I said, I'm not trying to hide my user profile from malware. I'm only trying to find out if E: can get infected even after I move the Temp and Temporary Internet Files folders to C:.

It is my (possibly incomplete, which is why I'm asking the Hive) understanding that malware only soils system drives and the Temp and Temporary Internet Files folders located in user profiles. The idea I have is to move my profile to E: and then also redirect my profile's Temp and Temporary Internet Files folders (using mklink) to C:. Then if I got malware, I could reimage C: (and delete the malware's installation files from E: if I accidentally put them there) and voila, my machine would be pristine again.

Would this work?

With those folders placed on C:, is there a way the other files/folders on E: can become tainted with malware?

If so, can someone tell me what am I'm missing?
posted by atm at 7:44 PM on October 27, 2009


When I said "redirect my profile's Temp and Temporary Internet Files folders (using mklink) to C:", I probably worded that badly.

I should've said I would place them on C: and, using mklink, make the OS and programs think they're still in their proper place within my profile folders on E:. So even though they actually reside on C:, everything thinks they're right in the normal place within my profile (on E:). Mklink is cool for that.
posted by atm at 7:48 PM on October 27, 2009


There's no definite answer to your question, because it will always depend on 1.) How well the malware was coded.. and 2.) What the malware's payload (goal) is. There is (most likely) some malware out there somewhere that is programed to infect your machine, search for local drives, scan those local drives for files and infect/corrupt/modify certain file types. So while your data on E:\ might be "safe" today, I personally would not count on it being "untouchable". If you are THAT concerned about your data.. I think it would be a faster and better investment of your time to simply run weekly backups and physically disconnect the backup drive after the backup script finishes.
posted by jmnugent at 8:19 PM on October 27, 2009


With those folders placed on C:, is there a way the other files/folders on E: can become tainted with malware?

Yes, absolutely. I am not sure why you're assuming malware is limited to Temp, Temporary Internet Files, and system drives. There's nothing special about the C:\ versus any other drive.

Again, to return to my example... try this from going to Start, then pulling up Run. In the Open box type:

c:\

Hit ok. The result is the C:\, not surprisingly. Now do the desktop:

C:\Documents and Settings\atm\Desktop

Hit ok. You get your desktop. But wait, the path includes your username. Doing this on any other machine wouldn't work, unless the other machine also had the "atm" user set up on it. This is a non-portable way to code your app if you wanted it to do anything useful for more than one computer.

Enter environment variables. Try typing this instead:

%userprofile%\Desktop

You get the same result as the previous step, but you didn't need to know your username.

Want to get the Windows directory? You don't need to know anything about where it's installed. The system already knows this for you:

%windir%

Ultimately, your question is about how to keep your actual data safe. The answer is backups with verified CRCs. If you didn't change something and the CRC did, something is amiss, and you should get the file from the last known good backup.
posted by odinsdream at 12:26 PM on October 28, 2009


Quote:
"Ultimately, your question is about how to keep your actual data safe."

No, that's the question people seem to think I'm asking. The question I am asking is:

what parts of a user profile tend to be INFECTED by malware?

And this isn't the same as: what parts of a user profile folder tend to AFFECTED by malware?
(see my original post for more context)

NOT: can a malware see my user profile if I move it to another partition?
NOT: how should I protect my computer from malware?
NOT: what do I do if I get an infection?

Thanks.
posted by atm at 1:05 PM on October 28, 2009


what parts of a user profile tend to be INFECTED by malware?

All parts. Malware doesn't care what directory it is, it works by attaching to executable files, or to files used by an executable with a known exploit, like PDFs used by certain versions of Adobe Reader.

These assumptions are incorrect:
So, unless I download an infected file into My Docs, or somehow put an infected file onto my E: drive, the E: should stay clean. It it's been my understanding (maybe I'm wrong) that if I had (argh) opened an infected file that I had accidentally put onto my E:, all the damage/infection would be done to the system partition, leaving my E: untouched. (Of course I'd need to delete the malware installer file from E:)
...which led you down the path of moving the entire profile.
posted by odinsdream at 5:28 PM on October 28, 2009


Odin,
Quote: "All parts."
Are you saying that, of all the folders that make up a user profile, you've seen EVERY ONE of them get infected (not: AFFECTED) at one time or another? Even all the folders that ONLY contain settings and config files (like ini files or other non-exe-dll files)?

If so, what defintion are you using for "infected"? So I can make sure I understand you. Please be specific regarding the user config/settings folders (especially).

(If you understood my first post then you know that I'm wanting to put as many user configuration-setting-type files to E: as possible to save work after I reimage C:, so those would be the ones I want most)
posted by atm at 6:35 PM on October 28, 2009


I have no idea what difference you're making between affected and infected. If malware attaches to your PDFs, but otherwise leaves them readable, what would you call that? I'd call that "undesirable."

All parts meaning it doesn't matter if the file is in C:\Documents and Settings\atm\Application Data\Mozilla\ or E:\atm-profile\Desktop\Stuff

That seems to be the crux of your question - does the location of ${important_file} matter to malware, in which case the answer is no.
posted by odinsdream at 8:33 PM on October 28, 2009


I guess this thread is shot anyway.

If a malware .exe is found in your Temp folder, that folder is INFECTED. If it then installed its running parts into System32, System32 becomes INFECTED.

If it ran and performed its purpose of deleting all the .mdb files on your computer, those files (the mdb's and the folders they were in) were AFFECTED but not INFECTED.

Now, the user profile folder that contains the custom menu settings for Excel is usually in the user profile's \AppData\Local\Microsoft\Office folder. Notice that this particular malware didn't AFFECT or INFECT that folder. The \AppData\Local\Microsoft\Office folder was UNINFECTED and UNAFFECTED.

jmnugent gave the best answer by reminding me (I had forgotten) that the Temp and Temporary Internet Files folders many times get infected. However, it looks like this answer is incomplete because he also said, "..and sometimes a few more on top of that...". He never said what the others were because he got side tracked (like this whole thread) pontificating on how malware are able to follow environmental variables, how any folder COULD get infected, and how I wouldn't be able to hide my profile from malware.

People a) haven't read my original question well enough to understand it and what knowledge I'm asking for, b) must not have used or understand partitioning and using mklink as part of a disaster recovery plan, c) don't have enough experience with malware tendencies or d) don't understand the difference between "infected", "affected", and "neither". But they answer anyway. Oh well. If people who had understood and knew this stuff had been around they'd have answered, but I guess no one was around during this time.

For now, I'll be leaving my profile on c: and just redirecting a few choice folders onto e:. Kind of like using a white list instead of a black list. That'll work well enough.
posted by atm at 11:18 AM on October 29, 2009


> "jmnugent gave the best answer by reminding me (I had forgotten) that the Temp and Temporary Internet Files folders many times get infected. However, it looks like this answer is incomplete because he also said, "..and sometimes a few more on top of that...". He never said what the others were because he got side tracked"


"..and sometimes a few more on top of that..." in more simple terms means: The current ecosystem of malware has so much variety, that there is no conceivable way for the average home users to predict what folders/files might get infected and which ones won't. I deal with 5 to 10 malware infections a week, and while the TYPICAL folders that get infected are the specific ones I mentioned (profile, along with Windows Temp and System32) there are occasions when I run into unique infections which infect non-traditional folders in ways I hadn't expected. (malware that puts files in the root of C:\ .... or the root of all local drives ... or the \All Users profile folder... or \System32\Config\systemprofile ... or rootkits that create hidden encrypted registry keys or system services, etc)

Malware code is constantly changing and evolving.... the strategies of today may not protect you tomorrow.
posted by jmnugent at 3:04 PM on October 29, 2009


Quote:
"... the SPECIFIC ones I mentioned (profile, ..."

"profile" isn't very SPECIFIC. You specifically mentioned Temp And Temporary Internet Files above, and that was helpful. But here we go again. My original question, and the context I gave, still isn't being understood. Note: I REALIZE, and it doesn't matter, that malware COULD infect ANY folder on a computer (you'll see why it doesn't matter if you re-read my first post). I have only asked about folders in USER PROFILES that TEND to get infected. (Tend=most often, usually, regularly. Or, still helpful="occasionally" or "have seen").

Don't take this the wrong way, but you don't seem to have noticed that I'm not a novice. I asked a very specific question, and if you were to re-read it and my further attempted clarifications, you'd see that all answers except your first one have been non-responsive to my question.

Since, judging by the previous replies, it might not be grasped without me saying it, let me say: I'm not trying to anticipate every possible malware that might be invented and what it might do. My question is aimed at people with experience and asking them what they have seen in their experience.

Thanks.
posted by atm at 4:53 PM on October 29, 2009


Perhaps the confusion is that your "real" question seems to be about statistical probability, whereas a charitable reading of your question would lead people to believe you're actually interested in protecting real data that is important to you.

Statistically, you could come up with a list of the "most frequently targeted" folders or files on any given computer, not specifically your own personal computer. Maybe you're asking this question as part of a research document, and need a figure or graph for this.

If you're actually using your computer for personal information that is important to you (this is what comes across in your question), and your question is about how to protect this data, then the answers given above are accurate.
posted by odinsdream at 8:07 AM on October 30, 2009


Just because the info is accurate doesn't mean it's what I asked for. Notice (try hard) I didn't ask for advice about how to protect my computer or my data, or whether malware would be able to infect my profile if I moved it to another partition, or any of the other questions that some people seem to think (or wish) I asked. I asked a very specific question that got partially answered.

That partial answer was useful, however. Even if it did get buried under an avalanche of newbie wisdom.

Thanks.
posted by atm at 9:03 PM on October 30, 2009


I've gone back just now and reread this thread 3 or 4 times, intentionally slowing my reading down in an effort to comprehend where we might be misunderstanding your question.... but apparently I'm still not seeing it. Your original question was: "Do/can malwares infect user's profile files and folders?"... To which (by my count) there are atleast 7 replies in this thread giving you an emphatic "YES".

You also originally said: "However, I don't want to do this if there is ANY chance a malware would infect/pollute my profile's files and folders." ...and again, it seems to me that reply after reply is confirming that the odds are fairly high a typical/popular malware infection WILL do something to your profile files/folders. We padded our answers with conditional explanations because giving you a specific answer (ex: "The only folder you have to worry about is C:\Documents and Settings\%profile%\Local Settings\Temp") is extremely bad advice. It lulls you into a false sense of complacency that you only have to worry about that one folder.

Although I'm not a programmer and never been part of the underground warez/virus scene, its my belief and understanding that malware authors target your profile for a specific # of strategic reasons. Your profile directory will almost never be "Read Only" (because other legitimate apps need to access/modify preference settings) and because it makes more sense to infect an active profile over something like the "\All Users\" (although I've seen All Users path get infected too). It's also strategically important for malware authors to continually update and change infection targets in the ongoing cat/mouse game of avoiding detection.

I've been doing IT/Support/Sysadmin type work for almost 20 years now and have been fighting viruses since back when they were spread by floppy disk up through internet storms like Code Red, Nimda.... so while I can't speak for odinsdream, I'm pretty sure I can say for myself that I've graduated beyond "newbie wisdom".
posted by jmnugent at 5:39 PM on November 1, 2009


It doesn't matter anymore. As I said I left my profile on c: and redirected a few settings/config folders to e:. Now when I reimage c: I have less work to do, and that was my goal.

Thanks.
posted by atm at 8:24 AM on November 2, 2009


« Older Which HTML/CSS/JS IDE do I wan...   |  I really like the Californicat... Newer »
This thread is closed to new comments.