Malware Hides In CLFS To Evade Detection – Expert Reaction

BACKGROUND:

FireEye’s Mandiant researchers have discovered a malware family using the Common Log File System (CLFS) to hide their second-stage payload in registry transaction files. In their blog post Too Log; Didn’t Read they detail how PRIVATE LOG and its installer STASHLOG use what they say is a novel and especially interesting technique(s) to obfuscate their presence.  An expert with Gurucul offers comment.

Experts Comments

September 08, 2021
Saryu Nayyar
CEO
Gurucul

Log files represent fertile ground for attacking data on systems and networks. Few organizations study their log files to better understand their computing environments, so they mostly just sit there. In this case, the CLFS log format doesn’t even have any tools available to be able to read it, so what better a place to store hacker data?

The easy answer to this type of attack is that if you’re not using the log data, don’t log it. Turn off logging. If you insist on logging, examine the log

.....Read More

Log files represent fertile ground for attacking data on systems and networks. Few organizations study their log files to better understand their computing environments, so they mostly just sit there. In this case, the CLFS log format doesn’t even have any tools available to be able to read it, so what better a place to store hacker data?

The easy answer to this type of attack is that if you’re not using the log data, don’t log it. Turn off logging. If you insist on logging, examine the log files on a regular basis to ensure they haven’t been corrupted. Note when data is written into them and keep track of how that data is accessed.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.