Security Incidents mailing list archives

RE: strange windows behaviour.

From: J Mike Rollins <rollins () wfu edu>
Date: Thu, 9 Oct 2003 11:12:55 -0400 (EDT)


I have just tested the ideas expressed here and have to report that
streams can still be a threat.

When I try to make a copy of the dll stored within the stream, the virus
scanning software does find it.

However, when I run the contents of the dll stream by using rundll32 the
program is not caught by the virus scanning software.  And the trojan
continues to execute undetected.

So, I believe this to be a serious threat.


On Wed, 8 Oct 2003, Schmehl, Paul L wrote:

-----Original Message-----
From: J Mike Rollins [mailto:rollins () wfu edu]
Sent: Wednesday, October 08, 2003 12:46 PM
To: incidents () securityfocus com
Subject: Re: strange windows behaviour.

One trick that hackers are exploiting is to store executable
files as NTFS Streams.  You should check you registry for
programs set to run at startup with the following format

    rundll32.exe C:\Some\Directory:trojan.dll

The : in front of the trojan signifies that the file is
really an NTFS Stream.  Trojans stored in this format may not
be detected by many virus scanners.


There's been a lot of discussion about this amongst av professionals.
There's really no advantage to scanning streams because they are
"inert".  In order for the trojan to do anything, it has to "come out of
hiding" as it were, and when it does, av on access scanning will detect
it **if it's a known trojan**.  While it's in the stream it's merely in
storage, not being used.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins              rollins () wfu edu
     Wake Forest University     http://www.wfu.edu/~rollins
        Winston-Salem, NC            work: (336) 758-1938
======================================================================


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: strange windows behaviour., (continued)
- - Re: strange windows behaviour. Brian Eckman (Oct 08)
    - Re: strange windows behaviour. Fabio Panigatti (Oct 10)
    - Re: strange windows behaviour. J Mike Rollins (Oct 10)
    - Re: strange windows behaviour. Tomasz Papszun (Oct 10)
- Re: strange windows behaviour. J Mike Rollins (Oct 08)
- Re: strange windows behaviour. H Carvey (Oct 08)
  - Re: strange windows behaviour. Peter Moody (Oct 08)
    - Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
  - RE: strange windows behaviour. J Mike Rollins (Oct 09)
    - Re: strange windows behaviour. Jeff Kell (Oct 09)
    - Re: strange windows behaviour. J Mike Rollins (Oct 09)
    - Re: strange windows behaviour. Tobias Rice (Oct 10)
  - RE: strange windows behaviour. Harlan Carvey (Oct 09)
    - Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
  - RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
  - Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)

(Thread continues...)