Security Incidents mailing list archives
RE: strange windows behaviour.
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 10 Oct 2003 09:45:57 -0500
-----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Thursday, October 09, 2003 5:29 PM To: incidents () securityfocus com Subject: RE: strange windows behaviour. Can you elaborate on "has to come out of hiding"?
In order for code "hidden" in an ADS to be executed, it has to be called by something. As soon as the on access scanner detects the file access it will scan the file to determine if it's viral. If it is, it will block the execution of the file. What I meant by "come out of hiding" is that is has to be called and executed before it can do anything. Now that's the ideal. In the real world, you have to understand that the av software has to "know" about the executable. If it's "new" or unknown code, on access scanning is not going to detect it. But then on demand scanning wouldn't detect it either since they both use the same detection methods and "databases". One poster pointed out to me privately that this is true of *all* files. I agree. And I suppose there would be *some* benefit to being able to on demand scan ADS, but the vendors have looked it and rejected it due to the CPU and time costs (how long it would take to scan all files plus scan for ADS plus scan anything that's in ADS.) So long as files are not executed, they remain benign. Properly written AV software *should* detect the file launch and scan and detect the malicious software and then block its execution regardless of its storage location.
I've repeatedly demonstrated how an executable can be written to an ADS and launched directly from that location, without having to be copied to another location, such as a temp file. The same is true on Win2K systems and above with VB and JavaScript files.
I hope that clarifies my comments.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: strange windows behaviour., (continued)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 10)
- Re: strange windows behaviour. Derek (Oct 14)