I've run 4 different ADS detectors on powershadow 2.6 dowloaded from the original powershadow.com website and can find no ADS associated with it other than what XP service pack 2 assigns to ANY internet downloaded program -

This stream is called Zone.Identifier and contains the following information:

D:\Tmp>more < TestZip.zip:Zone.Identifier
[ZoneTransfer]
ZoneId=3


This information will show up on most ADS detectors. Yet I find no additional ADS from the installer from the website. Still don't know why the sizes between the download site at TUCOWS and powershadow are different. I wonder WHO put the file on the tucows website?

-{ Quote: "I've run 4 different ADS detectors on powershadow 2.6 dowloaded from the original powershadow.com website and can find no ADS associated with it other than what XP service pack 2 assigns to ANY internet downloaded program -

This stream is called Zone.Identifier and contains the following information:

D:\Tmp>more < TestZip.zip:Zone.Identifier
[ZoneTransfer]
ZoneId=3


This information will show up on most ADS detectors. Yet I find no additional ADS from the installer from the website. Still don't know why the sizes between the download site at TUCOWS and powershadow are different. I wonder WHO put the file on the tucows website?" }-
Horus37,

Thanks for all the work. :thumb:

I have the PS version 2.6 from the original site but according to yankinNcrankin, Assasin did identity ADS in that version ...

So have you tried using Assasin to detect ADS?

http://www.wilderssecurity.com/showpost.php?p=950273&postcount=3

Cheers

Chew

Yes I've used Assassin ADS detector on it as well and pointed it right at the file to examine it and the whole C: drive as well. Just finds ADS on some downloaded files in my documents folder and all the same size - 26 bytes on several files. I'm waiting for yankin to followup with how he determined that it had an ADS attatched to it other than what xpsp2 already does to it when it gets downloaded. Might be a good idea to contact the company in an email and ask them about the possibility of an ADS in the program but so far I can't find one.

By the way if you download these programs from within firefox you don't get the xpsp2 zone ADS. Size 3,978,016 bytes 3,801,088 bytes on disk. = 3.62 MBs?

Anyways I need more clarification on this and who put the file up on tucows.

-{ Quote: "Yes I've used Assassin ADS detector on it as well and pointed it right at the file to examine it and the whole C: drive as well. Just finds ADS on some downloaded files in my documents folder and all the same size - 26 bytes on several files. I'm waiting for yankin to followup with how he determined that it had an ADS attatched to it other than what xpsp2 already does to it when it gets downloaded. Might be a good idea to contact the company in an email and ask them about the possibility of an ADS in the program but so far I can't find one." }-

I think Meriadoc managed to email the company in China and received a reply so I should think that's the best place to ask? But need to write in Chinese though.

I downloaded Assassin but have not installed it yet and yankinNcrankin assassinated the ADS wtihout problem. I am not sure if that was prior or after installation of PS.

:)

-{ Quote: "I think Meriadoc managed to email the company in China and received a reply so I should think that's the best place to ask? But need to write in Chinese though. " }-

Hi Chew! U can get reply in English from here within 24 hours. No Chineese needed.

support@powershadowsecurity.com

-{ Quote: "Horus37: By the way if you download these programs from within firefox you don't get the xpsp2 zone ADS. Size 3,978,016 bytes 3,801,088 bytes on disk. = 3.62 MBs?" }-
I think I used IE7 instead of FF (no script so download wasawkward) if I can recall.

-{ Quote: " aigle: Hi Chew! U can get reply in English from here within 24 hours. No Chineese needed." }-
I will ask here first then perhaps the PS support to get the full details.;D

Cheers

Chew

-{ Quote: "...No Chineese needed." }-
Yes, direct all support questions to the link in aigles post support@powershadowsecurity.com - my queries were before the english site (http://powershadowsecurity.com) was up.
-{ Quote: "I will ask here first then perhaps the PS support to get the full details." }-
I dont know anything of the ADS, but tech is checking it.

Answer to the ADS zone identifiers etc etc etc all are detected as ADS. ADS are ADS whether it be safe or malicious in nature, for ADS to get attached to a .exe file through downloading is enough to raise an alert for me, I'll have no ADS on my box. However I use firefox latest version for all my browsing and downloading of files so I dont know why there was ADS on the .exe at http://www.powershadow.com/en/product.htm. So I can't be entirely sure if ADS was inside of the .exe installer or if I picked it up with firefox. I was trying to figure out why the Tucows version and the official site versions were different in size. That being said, Horus, zone identifiers are ADS even if its not malicious just so you know that. If possible could you paste that ADS zone identifier here I would like to see its contents maybe you can dump it or HEX thanks.
I'm a DL the program over and figure this out for myself brb in a few.
-

So what are some other ADS scanners other then assassin?

I re DL'ed the program and ran Assassin and found no ADS so I don't know what to say. About a month ago I DL'ed the program and it had ADS in it and the only program that could detect it was assassin. Thats the end of my part.

-{ Quote: "Yes, direct all support questions to the link in aigles post support@powershadowsecurity.com - my queries were before the english site (http://powershadowsecurity.com) was up.

I dont know anything of the ADS, but tech is checking it." }-
Yes, I have emailed them regarding the different file size from two different sites plus the question about ADS.

Now I just have to wait for their answer.

:)

-{ Quote: "Yes, I have emailed them regarding the different file size from two different sites plus the question about ADS.

Now I just have to wait for their answer.

:)" }-

By the way, when looking with a hex editor both files show the same version number: 2.60611, not 2.60511 show on the website.

-{ Quote: "So what are some other ADS scanners other then assassin?" }-


The ADS detectors I know of and used are Assissin, ADSspy, streams, and LADS. I found one called Sfind but haven't used it as it comes bundled with other softward from foundstone.

-{ Quote: "Answer to the ADS zone identifiers etc etc etc all are detected as ADS. ADS are ADS whether it be safe or malicious in nature, for ADS to get attached to a .exe file through downloading is enough to raise an alert for me, I'll have no ADS on my box. However I use firefox latest version for all my browsing and downloading of files so I dont know why there was ADS on the .exe at http://www.powershadow.com/en/product.htm. So I can't be entirely sure if ADS was inside of the .exe installer or if I picked it up with firefox. I was trying to figure out why the Tucows version and the official site versions were different in size. That being said, Horus, zone identifiers are ADS even if its not malicious just so you know that. If possible could you paste that ADS zone identifier here I would like to see its contents maybe you can dump it or HEX thanks.
I'm a DL the program over and figure this out for myself brb in a few.
-" }-


Well I'll see what I can dig up on what gets sneaked into the ADS when you download in IE vs firefox. Evidently IE6 xpsp2 adds the ADS zone identifier if you download anything from the internet where as supposedly firefox doesn't. I have 26 bytes of info attatched to almost all my downloaded files from the internet and that is all that the ADS detectors find and I'm assuming it's from IE not any malicious thing. I'll soon find out. Might be some hidden bytes from using FDISR.

-{ Quote: "Hi Chew! U can get reply in English from here within 24 hours. No Chineese needed.

support@powershadowsecurity.com" }-

Have you ask them yet if any progess is in the offing for exiting Shadow-Mode as well as the way it enters without a reboot? That's a version i know many of us would prefer and likely for them gain additional support.

EASTER

-{ Quote: "By the way, when looking with a hex editor both files show the same version number: 2.60611, not 2.60511 show on the website." }-
ako,

Could you tell us which sites do they corresponse to exactly?

Version no: 2.60611 belongs to which site? Original or Tucows etc?

Version no: 2.6051 belongs to which site? Original or Tucows etc?

Hhmmm ... ???

-{ Quote: "Have you ask them yet if any progess is in the offing for exiting Shadow-Mode as well as the way it enters without a reboot? That's a version i know many of us would prefer and likely for them gain additional support. EASTER" }-

EASTER,

I was thinking of asking that and making suggestion along those line but abandoned the thought as I did not want to complicate the matter.

So unfortunately I did not ask them about future progress as I did not know who would be reading my email and just in case there is a language barrier.

I hate to see them being put off by too many questions and to sit down with dictionary trying to understand my email.

;D

tucows-file: hex-editor gives 2.60611

powershadow-file: hex-editor gives 2.60611

www.powershadow.com says it should be 2.60511

P.S. I do not understand this fuss about a possible ADS attached to the file. It is a curious fact, but it has nothing to do with security risks. Moreover, I do not see any, at least not with adsspy.

@ ako

Hi, you said (I do not understand this fuss about a possible ADS attached to the file. It is a curious fact, but it has nothing to do with security risks)

Here's just one example of why people should be concerned about ADS in NTFS partitioned disks.


Linkoptimizer a.k.a. Gromozon

The downloaded malware, when executed, installs

A rootkit

Various files hidden through ADS (Alternate Data Streams)

Random files encrypted using EFS

Linkoptimizer (hidden by a rootkit)

Once you got infected, Linkoptimizer downloads other Trojans, adware and installs other spyware applications, pop-ups several IE pages which redirect users to other malicious websites as well. With all of these installed, the machine is nearly unusable and really tough to clean up. You can easily find a machine infected by Linkoptimizer hosting more than 10 or 20 different malware.

http://216.239.59.104/search?q=cache:DVqnZFPZ2TAJ:blog.trendmicro.com/2006/12/08/+blog.trendmicro.com+alternate+data+streams&hl=en&ct=clnk&cd=1&gl=uk


@ travellinman

Here you go.

Streams - http://www.sysinternals.com/Utilities/Streams.html

NTFS Streams Eraser - http://www.excessive-software.eu.tt/ - NTFS Streams Eraser is a limited GUI (Graphic User Interface) application for program Streams by Sysinternals.

ADS Spy - http://www.spywareinfoforum.com/~merijn/ - also ADS Spy is integrated into HJT HijackThis. This is a very nice comprehensive tool which can really help in Malware infection analysis/detection etc, and is also Free.

LADS - List Alternate Data Streams - http://www.heysoft.de/Frames/f_faq_ads_en.htm

LNS - List NTFS Streams - http://ntsecurity.nu/toolbox/lns/

SFind - http://www.foundstone.com/resources/proddesc/forensic-toolkit.htm


StevieO

-{ Quote: "@ ako

Hi, you said (I do not understand this fuss about a possible ADS attached to the file. It is a curious fact, but it has nothing to do with security risks)

Here's just one example of why people should be concerned about ADS in NTFS partitioned disks.


Linkoptimizer a.k.a. Gromozon

" }-

Yes, in many occasions malware uses today ADS for hiding data. But as such they are as harmless as normal files, that are, by the way, also used by malware. ;D

P.S. Anyone interested in highly sophisticated malware, should read Marco Giuliano's (from Prevx) report on Gromozon.

Just food for thought for the conspiracists present.If this software was going to use ADS for some dark reason then surely the inventful coders would hide the aforementioned streams whilst the software is installed if they existed:P

So really what folks want to do is uninstall and then check for vacated ADS;)

Folks,

How do you Uninstall Power Shadow cleanly?

I read on their website the following instruction.

-{ Quote: "How do I uninstall PowerShadow?

To completely remove and uninstall PowerShadow, follow these steps:

1, From the Control Panel, double-click "Add/Remove Programs"
2, Highlight the PowerShadow entry
3, Click "Remove or Add/Remove". This removes the PowerShadow program files from your computer. " }-

So how do remove them cleanly. I mean I want to make sure I remove my version that contains ADS and including the ADS cleanly and then re-install a version without i.e. from Tucows.

???

p/s: no reply from the PS Support yet since I email them. It's more than 24 hrs now.

-{ Quote: "P.S. I do not understand this fuss about a possible ADS attached to the file. It is a curious fact, but it has nothing to do with security risks. Moreover, I do not see any, at least not with adsspy." }-

I wouldn't get your hemmoroids in an uproar over it, just select the installer minus the ADS and all is well.

Theres is nothing, and i repeat, nothing harmful or risky in Power Shadow at all but it can be of concern for some who would rather not take the chance, so go for the program without the ads like i have.

Power Shadow is a wonderful creation and saves a ton of headaches and aggravations experienced from even the most legit of shadowers like ShadowSurfer to name one i'm happy to have found a replacement for.

My concern now is that even though no ADS might not be found in the installer or in the program itself, how does powershadow clean out the ADS of programs we install in our computer during a shadowed session? Surely lots of malware testers out there can find out by downloading known ADS hiding malware and then deleting it my rebooting out of powershadow then checking that area for left over ADS. No where do I see the info talking about left over ADS from malware we pickup while surfing that powershadow deletes yet one must assume that it does this. Perhaps I'll send them a message and ask them if it specifically deletes the ADS of malware. That would be the real key to this.

Folks,

This is an update reply from PS Support which I email 3 days ago.

They are going to release next version in about 3 months time.:thumb:

Later on I also asked what sort of improvements they would be incorporating in the next version.

Can't wait to see what next version is like.

Cheerio

Chew

-----------------------------------------------------------------------------------------------------

Hi Chew,

Thanks for your love for our PowerShadow.

We don't use Alternate Data Streams in PowerShadow.

We made a very small internal modification and decided to keep the same version number.

When we repackaged the files, Microsoft OS added a file "Thumbs.db" in the directory.
Thumbs.db is Microsoft's way of caching thumbnail images of any image or movie file in a folder.
This file is useless for PowerShadow, but it DOES occupy about 10K space.
That's why the second installation package from our website is a little bit larger than others.

Just relax, both installation packages are the same for end users.

Add our new website ( http://www.powershadowsecurity.com (http://www.powershadowsecurity.com/)) to your browser bookmark because we will release a new version in about three months.

--
Customer Support Dept.
PowerShadow Security
Chicago, IL, USA
http://www.powershadowsecurity.com (http://www.powershadowsecurity.com/)

- Virtualization for Integrity -

------------------------------------------------------------------------------------------------------