Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: strange windows behaviour.

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 8 Oct 2003 15:44:22 -0500
-----Original Message-----
From: J Mike Rollins [mailto:rollins () wfu edu] 
Sent: Wednesday, October 08, 2003 12:46 PM
To: incidents () securityfocus com
Subject: Re: strange windows behaviour.



One trick that hackers are exploiting is to store executable 
files as NTFS Streams.  You should check you registry for 
programs set to run at startup with the following format

      rundll32.exe C:\Some\Directory:trojan.dll

The : in front of the trojan signifies that the file is 
really an NTFS Stream.  Trojans stored in this format may not 
be detected by many virus scanners.


There's been a lot of discussion about this amongst av professionals.
There's really no advantage to scanning streams because they are
"inert".  In order for the trojan to do anything, it has to "come out of
hiding" as it were, and when it does, av on access scanning will detect
it **if it's a known trojan**.  While it's in the stream it's merely in
storage, not being used.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: