Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique
On Mon, 5 Jun 2006, Andreas Marx wrote:
> Hi,
>
> besides the fact that it is always a good idea to notify vendors which might
> be affected *in advance* before releasing information like this, it's indeed
> nothing new.
More than that, somebody releases an advisory about it once every two
years or so.
I can't argue that it works, but just googling for "NTFS Stream
virus" would do wonders for people who look at this issue.
Gadi.
>
> You can find a more comprehensive review of AV products here:
> <http://www.heise.de/security/artikel/52139/2>
>
> This list should be updated anytime soon, to cover more products and also
> newer versions of these products.
>
> ADS can be a problem, due to this:
> <http://www.heise.de/security/artikel/52139/0>
>
> In short, you can hide an application in an ADS using this command:
> "type secret_tool.exe > c:\boot.ini:foo.exe"
>
> You can still execute it using the following syntax:
> "start c:\boot.ini:foo.exe"
>
> While some AV products might not be able to find this file during an
> on-demand virus scan, most will alert the user as soon as someone tries to
> start the file. It looks like that such hidden files can only be started when
> they are in the Windows PE EXE file format. I was not able to start VBS
> script files or the "Eicar test file" this way.
>
> This means, you might have hidden a working virus, but after your conversion,
> it was no longer working. When you copy & paste Loveletter.A (a VBS file) in
> a Word DOC file, do you think AV products should still flag this DOC file,
> even if it's no longer working (as it cannot be executed in such a format)...?
>
> cheers,
> Andreas Marx
>
> CEO, AV-Test GmbH
> http://www.av-test.org
>
> ______________________________________________________________________
> XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!
> Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130
>