Information Security News mailing list archives
Re: Kaspersky Lab refutes accusations about the spreading of "virushysteria"
From: InfoSec News <isn () C4I ORG>
Date: Wed, 13 Sep 2000 02:21:04 -0500
Forwarded By: Chris Brenton <cbrenton () sover net> Berislav Kucan wrote:
Given the latest events, Kaspersky Lab would like to once again confirm its position regarding the danger present in the NTFS alternate data streams (ADS) (for more details see here). Furthermore, we state that by continuing to ignore the problem and not taking similar steps-steps that Kaspersky Lab has already taken and continues to take-to bring their anti-virus product up to contemporary standards, the aforementioned competitor anti-virus companies are neglecting their users' anti-virus security.
As someone who has been slowly circulating a similar advisory for the past two months, I have to agree. I think the problem comes down to three key areas: 1) Virus scanning has become reactive rather than proactive 2) Streams is viewed as a directory rather than an alternate file system 3) Vendors assume they can signature tag everything in named streams To the first point, I've received quite a few responses from virus vendors on my advisory. The typical statement is "If someone writes an alternate stream virus we will identify a way of catching it". In short, "until there is a problem there is no problem". This attitude is somewhat contradictory to the way the rest of the security industry works. Yes many things are done on a reactive basis but we also try to be proactive as much as possible. Can you imaging the backlash an OS vendor would receive if they made the statement "well fix the problem when there is evidence that people are exploiting it". In effect this has become the norm of the virus scanning industry. Wait till there is a problem and write code to catch it. One vendor even lectured me on it not being "cost effective" to try and be proactive. They also complained that they would no longer be able to use the same product to support WinNT, Win2K, Win98, etc. I will not even comment on this point but I think it shows that a serious change in attitude is required in how the industry views anti-virus technology. IMHO, checking alternate streams is a small step in heading off a potentially large scale problem. To the second point, my personal fear is not that a perp will use alternate streams to hide their code, but to actually turn a virus scanner against the system its suppose to be protecting. For example take your favorite VBS virus and associate it will a named stream executable. When the executable is launched the virus will be detected but if the scanner is not alternate streams aware the only method of cleaning is deletion of both files. If the scanner was alternate streams aware performing a proper cleaning would be trivial. While I listed a number of potential delivery methods in my advisory, it appears that this issue will not be addressed by many vendors until there is actually code in the wild. <sigh> To the final point, while it is true you can not launch alternate stream files directly, it is trivial to make calls to code located in this area. For example: echo "this is the main file" > file1.txt cp c:\winnt\explorer.exe file1.txt:explorer.exe start file1.txt:explorer.exe Foundstone has done a number of great lectures where they show the simplicity of the above. Its also possible to perform this call directly with a minimal amount of code. Now think randomizing the alternate stream name, randomize infected file, etc. and this leaves very little code to try and flag in the main stream file area and could result in so many false positives that the check would be of little help. The only real way to resolve the problem is to check the alternate stream area where the bulk of the virus code resides. So IMHO the fact that alternate streams are ignored by many virus scanning vendors (as well as a few backup vendors) is a real problem that needs to be addressed. I would really hate to see this turn into a situation where a mass infection is required for vendors to sit up and take notice. Regards, Chris -- ************************************** cbrenton () sover net * Mastering Cisco Routers http://www.amazon.com/exec/obidos/ASIN/078212643X/ * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Re: Kaspersky Lab refutes accusations about the spreading of "virushysteria" InfoSec News (Sep 13)