Full Disclosure mailing list archives
Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique
From: "/dev/null" <exceed () email si>
Date: Mon, 05 Jun 2006 14:35:58 +0200
This is a well known issue. Anyway, I did a quick test. I used "famous" ncx99.exe. Here are the results: http://www2.shrani.si/files/pic1616545.jpg http://www2.shrani.si/files/pic2616546.jpg Then I did another test using KAV5 Personal Pro edition. When scanned ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway, it is detected when ADS is executed like this: c:\>start c:\ads.txt:ncx99.exe I suppose other AV will detect malicious ADS at execution time. Or am I wrong? Here's another interesting fact: if KAV5 option "Real-time file protection" is disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up any warning. The port (in this case TCP/99) will be wide open and there will be no entries in exceptions list. Didn't tried with other firewalls. I don't think this could be classified as security breach per se, but just as interesting fact. Maybe someone can test other AVs/Firewalls and post results. -exceed ____________________ http://www.email.si/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique /dev/null (Jun 05)
- <Possible follow-ups>
- Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique Andreas Marx (Jun 06)