Full Disclosure mailing list archives
Re: NTFS Alternate Data Stream
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 21 Aug 2009 17:37:41 +0000
--On Friday, August 21, 2009 07:30:37 -0500 Leandro Malaquias <lm.net.security () gmail com> wrote:
http://www.thinkdigit.com/General/Hidden-Threat-NTFS-Alternate-Data-Streams-A DS_3328.html
Whoever wrote this specializes in hyperbole. ADS is not hidden. It's completely accessible. For example, you can view the ADS in Word documents within Word. ADS is where some file metadata is stored. Yes, it's not viewable in Windows Explorer, but if you want more transparency with ADS, you can add ADS to the Properties tabs of the file system and view ADS for every file in the GUI by using StrmExt.dll. http://msdn.microsoft.com/en-us/library/ms810604.aspx Furthermore, executable content in an ADS cannot be run in some mysterious hidden fashion. It is called just like any other executable and runs in memory just like any other executable. Sure, you can "hide" stuff there, but it's not hidden when it's running. Finally, all reputable a/v companies already scan ADS for malicious code. -- Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NTFS Alternate Data Stream Leandro Malaquias (Aug 21)
- Free wlan sniffer for vista TK (Aug 21)
- Re: Free wlan sniffer for vista Andrew Kuriger (Aug 21)
- Re: Free wlan sniffer for vista Jon Janego (Aug 23)
- Re: NTFS Alternate Data Stream Paul Schmehl (Aug 23)
- Free wlan sniffer for vista TK (Aug 21)