ADS Scanning

[fcukdat]

On the back of a question posed by OP on this topic with reference to ADS scanning>>>
http://www.wilderssecurity.com/showthread.php?t=200921

My perspective is that ADS has been utilized by attackers before to store/run their malcode so in a nutshell it's an area of the OS that needs checking as much as any other

I decided to test out some antimalware(AT/AS) engines to see where things were at.

The 2 samples used have been widely distributed amongst the research forums and vendors alike.
Rustock B is around 9mths old and is widely flagged at VT upload(27/32).
~VT results removed per site policy~

Busky was collected around about a year ago and again is widely detected at VT(27/32)
~VT results removed per site policy~

As illustrated in previous linked topic SUPERAntiSpyware detected(and subsequently removed) both trojans from ADS.

As an Easter egg(kind of),i copied the ADS files using GMER into holding folder(Malware Samples) just to see if any of scanners could identify them when inactive outside of ADS.

Here's latest GMER ADS capture when ADS is present


First up today.


0 detections of any malware on system.

Topic will edited/updated as results are gathered.NB if you have any AT/ASW/AV you would like tested then if it dose'nt cost me then i'm happy to test

[FanJ]

Hi,

I have a question about something I don't understand about your screenshot of GMER and one of the VT-links,
~VT results removed per policy~
It's about that Busky malware.

In the GMER screenshot I see ext.exe
In the VT-screenshot I see exe.exe

Could you please tell some more about that?
Thanks.

[FanJ]

Oops, my apologies to Bubba for that VT-link; my fault!
Sorry Bubba !

[fcukdat]

Quote:

Originally Posted by FanJ

Hi,

I have a question about something I don't understand about your screenshot of GMER and one of the VT-links,
~VT results removed per policy~
It's about that Busky malware.

In the GMER screenshot I see ext.exe
In the VT-screenshot I see exe.exe

Could you please tell some more about that?
Thanks.

Thats my bad eyesigth for ya.
When using either IceSword or GMER to copy files they open up the save box dialogue which is blank.I fill in the missing file name and well that is error on my behalf not GMER/IceSword etc.The copied file has been incorrectly renamed so well spotted

[fcukdat]

Next software tested is Adaware2007.This botkiller has the option to include ADS scanning





Some strange quirkiness from this botkiller as it detected the inactive ext.exe file in holding but failed to detect it loaded into ADS

Anyhow it detected the service load value for the Busky bot which on reboot affected a killshot to the active malware as it did'nt run yet as observed the ADS was still left insitu if inactive

Adaware log is attached to confirm this and Rustock B was merrily spamming away unmolested

[FanJ]

Quote:

Originally Posted by fcukdat

Thats my bad eyesigth for ya.
When using either IceSword or GMER to copy files they open up the save box dialogue which is blank.I fill in the missing file name and well that is error on my behalf not GMER/IceSword etc.The copied file has been incorrectly renamed so well spotted

OK, I have bad eyes myself, so I understand.

Some questions:

1.
Shouldn't that copied file still have the same name (for proper testing)?

2.
What is the test environment (for example: is your Process Guard disabled?)?

3.
My English is not good enough to understand this what you posted about Ad-Aware:
"Anyhow it detected the service load value for the Busky bot which on reboot affected a killshot to the active malware as it did'nt run yet as observed the ADS was still left insitu if inactive".

4.
Are all nasties, that put their nasty load in an ADS Stream, also doing it on non-ADS? Or at least the tested nasties? How, when? Are you giving info about those details?

5.
What exactly is the purpose of your testing?

[fcukdat]

Quote:

Originally Posted by FanJ

1.
Shouldn't that copied file still have the same name (for proper testing)?

In the case of svchost.exe:ext.exe the filename should be ext.exe
& System32:lzx32.sys is lzx32.sys.
The ":" denotes the ADS and is not a recognized file symbol should you use the whole ADS address as a filename.

Quote:

2.
What is the test environment (for example: is your Process Guard disabled?)?

Protection is switched off.

Quote:

3.
My English is not good enough to understand this what you posted about Ad-Aware:
"Anyhow it detected the service load value for the Busky bot which on reboot affected a killshot to the active malware as it did'nt run yet as observed the ADS was still left insitu if inactive".

It detected the service created by Busky inorder to run the malcode when the system starts up.
It detected the inactive *copied* file of the trojan in the holding folder.
It failed to detect the trojan that was active in ADS.
By removing the service value for the trojan it prevented the trojan from starting but still left the ADS stream containing the trojan intact.

Quote:

4.
Are all nasties, that put their nasty load in an ADS Stream, also doing it on non-ADS? Or at least the tested nasties? How, when? Are you giving info about those details?

Both trojans soley run from their respective ADS hiding places.

The files in the holding folders are inactive copies for referencing and as in the case of Adaware have demonstrated a rather unusual bug.The question is why if the software is scanning ADS did it fail to detect the ADS loaded trojan yet could detect the identical(copied) file when it is inactive

Quote:

5.
What exactly is the purpose of your testing?

That was stated in my first post but for your benefit again

Quote:

My perspective is that ADS has been utilized by attackers before to store/run their malcode so in a nutshell it's an area of the OS that needs checking as much as any other... I decided to test out some antimalware(AT/AS) engines to see where things were at.

HTH

[EASTER]

I recently myself been experiementing with Alternate Data Streams and it isn't any wonder why they are included in full malware payload attacks.

By using the simple TYPE c:\anyfile.exe > c:\windows\system32\calc.exe:anyfile.exe for example scripting or batch files can easily activate these sub-space activities/actions and proceed to carry out whatever design is been planned for disruptions etc. I used a simple rubberball.exe amusement app i planted in the %systemdrive% and seems any file once launched turns loose the attached ADS planted executable at once too.

......as further explained in this security article http://www.windowsecurity.com/articl...a_Streams.html among many more of course.

In fact although i yet to confirm it, it's likely possible to unregister a few dll's to disrupt vbs/js.dll scripts that are needed to open system restore for common basic users who still rely on those $M recovery/rollback systems since i experienced a similar event that had me scratching my head untill i researched some articles on it.

Hence ADS are another one of microsoft's debacles that they left wide-open to be easily exploitable.

[fcukdat]

Todays testing.

a2 free(3.1)

No ADS scan option so deep scan selected.




The 2 inactive files are detected but the ADS active files are not detected.
My concluusion is a2 does not incorperate ADS scanning into their engine

AVG ASW free.

ADS scanning enabled




Busky is sucessfully detected and deleted from its ADS
However Rustock's hidden driver is undetected.
Since the botkiller flags the inactive copy of Rustock i can only conclude that it's scanning engine is incapable of detecting Rustock trojan when it is active.
Scan log attached.

[fcukdat]

Todays testing.

CounterSpy 2.5.1043

**Due to update bug i was unable to upload to current detections file.This has no bearing on the testing as both malwares are in the default database on installation
CS has no option for ADS scan so full scan was selected.





Both inactive files were detected and a sucessful detection of Busky in ADS
CounterSpy is blind to loaded Rustock

[Wake2]

Hi fcukdat,

I appreciate all the efforts you put in to your testing,
interesting results to say the least between all of these
programs.

I am really curious to find out on a clean system the
effectiveness of these programs with real time protection
enabled to block installation of malware.

Look forward to seeing more of your tests.

Wake

[Scoobs72]

Quote:

Originally Posted by Wake2

I appreciate all the efforts you put in to your testing,
interesting results to say the least between all of these
programs.

I am really curious to find out on a clean system the
effectiveness of these programs with real time protection
enabled to block installation of malware.

I second both of those. Thanks fcukdat

[FanJ]

Quote:

Originally Posted by fcukdat

-snip-

Quote:

That was stated in my first post but for your benefit again

Quote:

HTH

OK

ADS Streams are nothing new.
TDS-3 (for example) checked them already many years ago.
See for example the screenshot in my posting in the old "Basic configuration" thread on August 2002.
http://www.wilderssecurity.com/showp...39&postcount=5

The thread title confused me a little bit after I saw test results coming...

As for testing procedure, I might have my own thoughts about that...

Nevertheless, I applaud your effort and am looking forward to more to come

[controler]

fcukdat


When Gmer saves the file is it still attached to the originl file or has it been removed? Example attaches the stream to svhost.exe.

Also did you try Hijackthis? I think it is suppose to find those streams also.

Back in the day RAzor created a program for those pesky things.

Hey FanJ I remember TDS-3 having that option but I never really ever seen any on my computers.

I don't think anyone made a big deal out of it until Kaspersky started using them to tag all files on yur hard drive.

[fcukdat]

Quote:

Originally Posted by controler

fcukdat


When Gmer saves the file is it still attached to the originl file or has it been removed? Example attaches the stream to svhost.exe.

Also did you try Hijackthis? I think it is suppose to find those streams also.

Back in the day RAzor created a program for those pesky things.

Hey FanJ I remember TDS-3 having that option but I never really ever seen any on my computers.

I don't think anyone made a big deal out of it until Kaspersky started using them to tag all files on yur hard drive.

Hi C.

GMER ADS flag will copy the file from the stream and not what it is attached too

Attachment 197874

I will test HJT ADS scan when i get time

[EASTER]

In my own research i intend to fashion a vbs file to launch from an alternate data stream while at the same time firing off the START whatever.vbs/.bat from command line which is whats required to launch the ads attached to a system or other file.

[FanJ]

PS:

Here is the site of "The List of Lists" with some links to some articles and tools:
http://lists.thedatalist.com/pages/NTFS_ADS.php