Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique

["/dev/null" <exceed () email si>]

This is a well known issue. Anyway, I did a quick test. I used "famous" 
ncx99.exe. Here are the results:

http://www2.shrani.si/files/pic1616545.jpg
http://www2.shrani.si/files/pic2616546.jpg

Then I did another test using KAV5 Personal Pro edition. When scanned 
ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway, 
it is detected when ADS is executed like this: 

c:\>start c:\ads.txt:ncx99.exe

I suppose other AV will detect malicious ADS at execution time. Or am I wrong?

Here's another interesting fact: if KAV5 option "Real-time file protection" is 
disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up 
any warning. The port (in this case TCP/99) will be wide open and there will 
be no entries in exceptions list. Didn't tried with other firewalls.

I don't think this could be classified as security breach per se, but just as 
interesting fact.

Maybe someone can test other AVs/Firewalls and post results.


-exceed

____________________
http://www.email.si/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/