funsec mailing list archives
F-Secure: Hiding the Unseen
From: "Fergie" <fergdawg () netzero net>
Date: Wed, 21 Jun 2006 18:22:11 GMT
Interesting. Via F-Secure. [snip] Many of our readers have probably heard of Alternate Data Streams (ADS) on NTFS. They're not that well documented and there are only a few tools that can actually handle them. Lately we've been looking at variants of the Mailbot family that use hidden streams to hide themselves. Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one. [snip] More here: http://www.f-secure.com/weblog/#00000907 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- F-Secure: Hiding the Unseen Fergie (Jun 21)
- Homegrown terror, or hype? StyleWar (Jun 22)
- Re: Homegrown terror, or hype? Valdis . Kletnieks (Jun 22)
- Homegrown terror, or hype? StyleWar (Jun 22)