PDA

View Full Version : Alternate Data Streams

phasechange
July 15th, 2006, 01:06 PM
I had been pondering how well Alternate Data Streams are examined when I came across this article: http://www.cio.com/blog_view.html?CID=23011

-{ Quote: ""Saving your data into Alternate Data Streams is usually enough to hide from many tools," wrote F-Secure researcher Antti Tikkanen in a company blog.

"However, in this case, the stream is further hidden using rootkit techniques ... because Mailbot.AZ is hiding something that’s not readily visible; it’s very likely that many security products will have a tough time dealing with this one."" }-

Care to comment on Alternate Data Streams for hiding threats and how novel this "rootkit" is? In addition how welll does NOD32, KAV, etc cope with this sort of threat and are old fashioned techniques still good enough when kernel mode execution is used? I should probably have posted this in Other AV (we don't have a "general virus" board do we?).

Fairy
Bubba
July 15th, 2006, 02:41 PM
-{ Quote: "I should probably have posted this in Other AV" }-good thought and now it has been done ;)
phasechange
July 15th, 2006, 03:14 PM
Thanks Bubba :D
StevieO
July 15th, 2006, 03:38 PM
Here's a few links which might interest you.
______________________________________________

Analysis of hidden data in the NTFS file system

http://www.forensicfocus.com/hidden-data-analysis-ntfs

The full paper in a PDF is here

www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf


Nick Skrepetos of SUPERAntiSpyware has stated the following,
_______________________________________________

"Viruses and Spyware/Malware are converging in regards to the some of the methods used to install and/or hide. Viruses typically "attach" themselves to other files. We are finding several spyware/malware applications that are using the Alternate Data Streams to hide within files on NTFS volumes.

As the detection methods of the anti-spyware applications get better, so will the ways the spyware/malware vendors use to hide and/or install."
_______________________________________________

Cloaking Technology of KAV, SAV, etc. Discussed

http://www.dslreports.com/forum/remark,15234821


StevieO
phasechange
July 15th, 2006, 04:10 PM
The Forensic Focus article is very interesting. I also thought Nick Skrepetos is bang on about the convergence although there is also the question as raised by KAV5 of antimalware programs converging with malware and using similar techniques. Even malware mimics antivirus programs these days... with some malware fighting other malware.

My main interest of course is the evolution of the response to threats. I am particularly interested in the differences between how different programs take different approaches to the same problems. Features such as KAVs Scan Startup Objects not being seen in NOD32 for example.

Fairy