F-Secure: Hiding the Unseen

["Fergie" <fergdawg () netzero net>]

Interesting.

Via F-Secure.

[snip]

Many of our readers have probably heard of Alternate Data Streams (ADS)
on NTFS. They're not that well documented and there are only a few
tools that can actually handle them. Lately we've been looking at
variants of the Mailbot family that use hidden streams to hide themselves.

Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a
single component lying on the disk, and that is a kernel-mode driver.
It's stored as hidden data stream attached to the system32 folder (yes,
folders can have data streams as well)! Saving your data into Alternate
Data Streams is usually enough to hide from many tools.

However, in this case, the stream is further hidden using rootkit
techniques, which makes detection and removal quite challenging.
Because Mailbot.AZ is hiding something that's not readily visible, it's
very likely that many security products will have a tough time dealing
with this one.

[snip]

More here:
http://www.f-secure.com/weblog/#00000907

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.