Re: Kaspersky Lab refutes accusations about the spreading of "virushysteria"

[InfoSec News <isn () C4I ORG>]

Forwarded By: Chris Brenton <cbrenton () sover net>


Berislav Kucan wrote:

> Given the latest events, Kaspersky Lab would like to once again
> confirm its position regarding the danger present in the NTFS
> alternate data streams (ADS) (for more details see here). Furthermore,
> we state that by continuing to ignore the problem and not taking
> similar steps-steps that Kaspersky Lab has already taken and continues
> to take-to bring their anti-virus product up to contemporary
> standards, the aforementioned competitor anti-virus companies are
> neglecting their users' anti-virus security.

As someone who has been slowly circulating a similar advisory for the
past two months, I have to agree. I think the problem comes down to
three key areas:

1) Virus scanning has become reactive rather than proactive
2) Streams is viewed as a directory rather than an alternate file system
3) Vendors assume they can signature tag everything in named streams

To the first point, I've received quite a few responses from virus
vendors on my advisory. The typical statement is "If someone writes an
alternate stream virus we will identify a way of catching it". In short,
"until there is a problem there is no problem". This attitude is
somewhat contradictory to the way the rest of the security industry
works. Yes many things are done on a reactive basis but we also try to
be proactive as much as possible. Can you imaging the backlash an OS
vendor would receive if they made the statement "well fix the problem
when there is evidence that people are exploiting it". In effect this
has become the norm of the virus scanning industry. Wait till there is a
problem and write code to catch it.

One vendor even lectured me on it not being "cost effective" to try and
be proactive. They also complained that they would no longer be able to
use the same product to support WinNT, Win2K, Win98, etc. I will not
even comment on this point but I think it shows that a serious change in
attitude is required in how the industry views anti-virus technology.
IMHO, checking alternate streams is a small step in heading off a
potentially large scale problem.

To the second point, my personal fear is not that a perp will use
alternate streams to hide their code, but to actually turn a virus
scanner against the system its suppose to be protecting. For example
take your favorite VBS virus and associate it will a named stream
executable. When the executable is launched the virus will be detected
but if the scanner is not alternate streams aware the only method of
cleaning is deletion of both files. If the scanner was alternate streams
aware performing a proper cleaning would be trivial. While I listed a
number of potential delivery methods in my advisory, it appears that
this issue will not be addressed by many vendors until there is actually
code in the wild. <sigh>

To the final point, while it is true you can not launch alternate stream
files directly, it is trivial to make calls to code located in this
area. For example:

echo "this is the main file" > file1.txt
cp c:\winnt\explorer.exe file1.txt:explorer.exe
start file1.txt:explorer.exe

Foundstone has done a number of great lectures where they show the
simplicity of the above. Its also possible to perform this call directly
with a minimal amount of code. Now think randomizing the alternate
stream name, randomize infected file, etc. and this leaves very little
code to try and flag in the main stream file area and could result in so
many false positives that the check would be of little help. The only
real way to resolve the problem is to check the alternate stream area
where the bulk of the virus code resides.

So IMHO the fact that alternate streams are ignored by many virus
scanning vendors (as well as a few backup vendors) is a real problem
that needs to be addressed. I would really hate to see this turn into a
situation where a mass infection is required for vendors to sit up and
take notice.

Regards,
Chris
--
**************************************
cbrenton () sover net

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".