Data Security: Resource


 Search Resources
Hot Words
Key Words
In Field

 By Chris Gudy
Find Spyware from Windows Folder
In general, spyware would be placed in a particular place when installing, whereas common software normally let user choose or create an independent folder or sub-folder to store. The first reason is that most of spyware is installed without confirmation of users, so they never provide any chance to users to choose place of storage. Second, even if there are some spyware that have normal installation functionality, such as spyware for parents, it still needs to hide from those whom it spies. In order to meet with the goal of hiding spyware, the place to store spyware and adware should at least follow up features shown here.
  • Some spyware files could be placed in an existing directory, especially created by operating system. If developers do not want users to know where the files save, to create new folder is absolutely not a good idea. A new folder probably hints detectors to check its contents. If so, the spyware or adware will be disclosed soon. Thus, utilizing an existing directory of operating system to store spyware is a better option to keep secret.
  • The directory would include lots of files that are particularly in types as same as spyware and adware. As you know, any operating system has a number of directories. Some of them are simple, and some are complicated. If developers want to hide files into a folder, they should look for one that not only has files as many as possible, but also its files have same, or similar, type as spyware and adware, for example EXE and DLL files.
  • The directory would be difficult to check if there is any change to take place. The purpose of utilizing an existing directory is to increase difficulty for detectors to uncover spyware. If there are some folders that cannot be accessed by common tools, developers always prefer to consider putting spyware into those folders. Obviously, this strategy will probably add the duration of spyware and adware.
  • Some spyware and adware files could be attached upon an existing file, such as operating system file. Appending a file of spyware into an existing file is a more spy-like way to hide files. Developers do not create any file as well as do not create any folder. The unique thing developers need to do is to choose an existing file, for example an operating system file, and add content of spyware file to it. Despite the method seems more complicated, it is far more difficult to check.
  • Some spyware files could be saved in registry. In fact, registry is a special type of file in disk. For common users, they do not dare to operate it as they manage normal file system. So hiding information of spyware and adware in registry is also a good choice for developers.

System Directory

Operating system usually places its core executable files into a single folder. So do Windows operating systems. This folder is called system directory. Normally, application developers should avoid accessing this particular folder. But spyware developers have different opinion on this issue. Provided developers need a place to store executable file, such as EXE and DLL, the system directory including a lots of similar type file is surely an ideal candidate as long as they agree the following reasons.
  • System directory is usually a complicated folder, for it often has over one hundred files in addition to a number of sub-folders. Checking or identifying its files is more difficult than other folders.
  • There are various file types in system directory. Executable files are main of them. It is suitable for spyware to hide itself in a large of similar files.
  • Common users are short on knowledge about system directory. It is a dangerous operation for them to drop any file in this folder. Thus, most of them do not dare to delete a file in system directory even if it is identified as spyware or adware.

To Windows operation systems, that developers utilize system directory to store spyware might get extra benefit. First, the system directory in different computer might be different. One reason is that users are able to create own system directories different from default arrangement. Another cause is that the default settings for system directory are different on different operation systems.

For example, in Windows XP the default system directories are shown here respectively.


Absolutely, that system directory has different name and physical position will probably confuse common users when they are told to check their system directories to identify spyware or adware and help spyware hide more deeply.

Then, although system directory in Windows operating systems might be different, designers can get it with same way through a Win32 API function. In other words, system directories placed in different position only confuses users but never troubles developers.

So, spyware and adware are in favour of homing in system directories.

Temporary Directory

As you guess, system directory is never unique folder to be utilized despite it usually homes a number of spyware. In fact, there are many other candidate folders created by operating system that spyware hacks. Temporary directory is another interesting place because not only there are more and more temporary directories in Windows operating system, but also users seldom care any changes in them. In particular, Internet temporary folder is a place that lures many spyware to move in it, because unlike other temporary directories, the content of this folder cannot be displayed through Explorer. It means that common users have little chances to know what files or sub-folders are in this directory. Therefore, some spyware thinks it is a suitable place to hide.

In Windows operating systems, temporary Internet files, namely html and graphics files viewed in Internet Explorer, are stored at a special temporary directory. Different operating systems set their default values differently. For example, in Windows XP it is

%USERPROFILE%\Local Settings\Temporary Internet Files.

Besides default values, users can change this folder by following registry entry.

Key: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Cache
Value: path of Internet temporary directory

In fact, the default folder is also set in this entry at beginning. After installing, users can redirect Internet temporary files to any folder by setting the entry. So, as long as you read the value of this entry, you know where the Internet temporary directory is.

The folder is designed for Microsoft Internet Explorer (IE) to use the Temporary Internet Files feature to store copies of Web content on the local hard drive. This feature improves network performance but can fill the hard drive with large amounts of unwanted data. IE allows many aspects of the Temporary Internet Files feature to be controlled. Of course, spyware creators just utilize it to store spyware, so we ignore these IE features and just view how spyware and adware to store on the folder.

By Explorer you certainly can locate the folder indicated as aforementioned entry, and see many temporary files. Notice that if you think these files are really placed under the Internet temporary directory as shown in Explorer, you are indeed deceived. In order to guard the Internet security, Windows adopts many strategies. Because Internet temporary files might include important personal materials, Explorer particularly masks the structure of Internet temporary directory to prevent from accessing illegally.

You have many ways or tools to research secrets of Internet temporary directory. The simplest one is to copy the folder to another place and rename it. This is a high risk place to host spyware or any other malware.

Randomized File Name

File name is an important clue for people who want to pick up spyware and adware from disk. If the file names of spyware are various in various victim computers, undoubtedly, users have to do more works to uncover it or delete it. This is the main reason why spyware is favor in randomized file name.

In view of technology, to get a randomized file name with random function is no problem for programmers. However, because most spyware consists of more than one file, how to call each other in those files after they are named by random becomes a new challenge. Basically, when designers consider randomizing the file names of spyware, they have two strategies to choose: half random or pure random. We examine them in detail.
  • Half random means that file names produced in same victim computer have necessary relationship, though the file names of spyware might be different from each victim computer. In this situation, a file in spyware generally can identify other files and access them through designed mapping.
  • Pure random means each file of spyware will be produced with randomizing. There is no relationship among those file names again. In other words, file names are only a label for operating system to access but nothing for spyware in which no program can call other files with those randomized names. Namely, designers need extra ways to implement accessing among spyware.

Obviously, half random is a simpler way to developer, for it reserves some relationships among file names. By the relationship, it is possible for you to identify other files. Or say, you need find spyware not only by names, but also by relationship among file names.