Security Incidents mailing list archives
RE: strange windows behaviour.
From: "Pepijn Vissers" <vissers () fox-it com>
Date: Thu, 9 Oct 2003 15:57:37 +0200
//One trick that hackers are exploiting is to store executable //files as NTFS Streams. You should check you registry for //programs set to run at startup with the following format // rundll32.exe C:\Some\Directory:trojan.dll //NTFS Streams cannot be listed by the dir command. What you //can do to verify the existence of one of the Streams is to do // // notepad.exe C:\Some\Directory:trojan.dll // //If you see content, then the stream is really there. Very true. There is a tool that will help you, called LADS (List Alternate Data Streams), which is a modified 'dir'. Get it at http://www.heysoft.de/nt/ep-lads.htm. Best regards, Pepijn Vissers -- P. Vissers Fox-IT Forensic IT Experts B.V. www.fox-it.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: strange windows behaviour., (continued)
- Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Tobias Rice (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 10)
- Re: strange windows behaviour. Derek (Oct 14)