FireEye’s Mandiant researchers have discovered a malware family using the Common Log File System (CLFS) to hide their second-stage payload in registry transaction files. In their blog post Too Log; Didn’t Read they detail how PRIVATE LOG and its installer STASHLOG use what they say is a novel and especially interesting technique(s) to obfuscate their presence. An expert with Gurucul offers comment.
<p>Log files represent fertile ground for attacking data on systems and networks. Few organizations study their log files to better understand their computing environments, so they mostly just sit there. In this case, the CLFS log format doesn’t even have any tools available to be able to read it, so what better a place to store hacker data?</p>
<p>The easy answer to this type of attack is that if you’re not using the log data, don’t log it. Turn off logging. If you insist on logging, examine the log files on a regular basis to ensure they haven’t been corrupted. Note when data is written into them and keep track of how that data is accessed.</p>