Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique

[Gadi Evron <ge () linuxbox org>]

On Mon, 5 Jun 2006, Andreas Marx wrote:
> Hi,
>
> besides the fact that it is always a good idea to notify vendors which might be affected *in advance* before 
> releasing information like this, it's indeed nothing new.

More than that, somebody releases an advisory about it once every two
years or so.

I can't argue that it works, but just googling for "NTFS Stream
virus" would do wonders for people who look at this issue.

        Gadi.

> You can find a more comprehensive review of AV products here:
> <http://www.heise.de/security/artikel/52139/2>
>
> This list should be updated anytime soon, to cover more products and also newer versions of these products.
>
> ADS can be a problem, due to this:
> <http://www.heise.de/security/artikel/52139/0>
>
> In short, you can hide an application in an ADS using this command:
> "type secret_tool.exe > c:\boot.ini:foo.exe"
>
> You can still execute it using the following syntax:
> "start c:\boot.ini:foo.exe"
>
> While some AV products might not be able to find this file during an on-demand virus scan, most will alert the user 
> as soon as someone tries to start the file. It looks like that such hidden files can only be started when they are in 
> the Windows PE EXE file format. I was not able to start VBS script files or the "Eicar test file" this way.
>
> This means, you might have hidden a working virus, but after your conversion, it was no longer working. When you copy 
> & paste Loveletter.A (a VBS file) in a Word DOC file, do you think AV products should still flag this DOC file, even 
> if it's no longer working (as it cannot be executed in such a format)...?
>
> cheers,
> Andreas Marx
>
> CEO, AV-Test GmbH
> http://www.av-test.org
>
> ______________________________________________________________________
> XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!          
> Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130