Re: Windows file problem

[Brian Battle <brian () CONFLUENCE COM>]

Microsoft has an old MSJ article on streams at:
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/1198/ntfs/ntfs.htm

Also has other little known NTFS features such as reparse points, encrypted
streams, and hard links.

-----Original Message-----
From: Paul Taylor [mailto:ptaylor () MARTNET COM]
Sent: Monday, October 09, 2000 8:55 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Windows file problem


> From http://patriot.net/~carvdawg/ads.html:

Finding alternate data streams
Corporate information security policies should require that administrators
perform regularly scheduled scans, particularly of key systems, to verify
compliance with configuration
standards. These scans should include a tool or process for detecting
alternate data streams. Two tools available for detecting alternate data
streams are:

       Streams.exe, written by Mark Russinovich and available from
http://www.sysinternals.com/misc.htm#Streams

       "LADS", written by Frank Heyne and available from
http://www.heysoft.de/index.htm

These tools use the BackupRead() and BackupSeek() API calls to locate
alternate data streams.

Paul Taylor
QVC, Inc., Data Security
(610) 701-8761


On Mon, 9 Oct 2000, Flaherty, Jack wrote:

> Yep.  This has been a potential security risk for quite some time now
because
> these extra file streams can be dropped anywhere (possibly behind
important
> DLLs, etc.)  They're perfect places to hide rootkits, stolen nuclear hard
> drive images, etc.
>
> Uhhh...Some white-hat group released a program to find file streams and
> delete them if necessary.  I thought it was the L0pht, but I can't seem to
> remember now and I sure can't find it on their site.  URL someone?
>
> amp