<<< Date Index >>>     <<< Thread Index >>>

Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique



On Mon, 5 Jun 2006, Andreas Marx wrote:
> Hi,
> 
> besides the fact that it is always a good idea to notify vendors which might 
> be affected *in advance* before releasing information like this, it's indeed 
> nothing new.

More than that, somebody releases an advisory about it once every two
years or so.

I can't argue that it works, but just googling for "NTFS Stream
virus" would do wonders for people who look at this issue.

        Gadi.

> 
> You can find a more comprehensive review of AV products here:
> <http://www.heise.de/security/artikel/52139/2>
> 
> This list should be updated anytime soon, to cover more products and also 
> newer versions of these products.
> 
> ADS can be a problem, due to this:
> <http://www.heise.de/security/artikel/52139/0>
> 
> In short, you can hide an application in an ADS using this command:
> "type secret_tool.exe > c:\boot.ini:foo.exe"
> 
> You can still execute it using the following syntax:
> "start c:\boot.ini:foo.exe"
> 
> While some AV products might not be able to find this file during an 
> on-demand virus scan, most will alert the user as soon as someone tries to 
> start the file. It looks like that such hidden files can only be started when 
> they are in the Windows PE EXE file format. I was not able to start VBS 
> script files or the "Eicar test file" this way.
> 
> This means, you might have hidden a working virus, but after your conversion, 
> it was no longer working. When you copy & paste Loveletter.A (a VBS file) in 
> a Word DOC file, do you think AV products should still flag this DOC file, 
> even if it's no longer working (as it cannot be executed in such a format)...?
> 
> cheers,
> Andreas Marx
> 
> CEO, AV-Test GmbH
> http://www.av-test.org
> 
> ______________________________________________________________________
> XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!          
> Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130
>