NTFS : Alternative Data Streams

Interesting article that explains this 'vulnerability'
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

 

Like rootkits which go back to UNIX days, ADS has been around awhile, and the concept is being put to good use in raising the fear factor amongst those concerned about security.

KAV put the technique to use in a recent version and has raised the level of dialogue almost to the shouting level. A post in the DSL forum touched on this:

http://www.dslreports.com/forum/remark,10819194?hilite=ads

And the whole concept of ADS as a threat was argued back and forth in this thread, begining with May 21 posts, p. 3:

http://www.dslreports.com/forum/remark,13436505

Over in the TDS forum here, there is a thread:

https://www.wilderssecurity.com/showthread.php?t=32861

Like so many ideas being discussed today, including buffer overflow, one has to consider what the probability is that something could be a danger to the home user. I say home user, because some are starting to question what a home user really has to be concerned about. Kareldjag makes this point in the buffer overflow thread in this forum (post #48 )

----------------------------------------
Is a specific buffer overflow protection really necessary for a home user on a Windows system?

I don't think that's it's really necessary.

From a statistical point of view, home users are more concerned by virus, trojans (CWS) and pricipally spywares (hijackers) than by B.O attacks.
-----------------------------------------

So, while it's interesting to read articles such as this one, users should keep things in perspective and realize that without a technical background, one might not really be able to understand/evaluate everything that's being presented. In the KAV thread above, one user bemoaned, "i just barely understand this topic,..."

regards,

-rich

 

heh, of course such things need to be kept in perspective. I personally found it interesting, because my AT, TrojanHunter checks the streams, and I had always wondered what they were.

I also agree with your view on buffer overflows...that it probably isn't worth buying more security apps to protect specifically against them (even if they could comprehensively, which it seems they can't)... but it never hurts learning about them, and checking to see if there are ways to prevent them

Thanks for all the extra links too

 

How do you use this info on streams that your programs are checking?

-rich

 

Every once in a while, out of curiosity, I'll have Ad-Aware do an ADS scan on my full drive. So far, consistently "no new items".

If I take a look at the log for such a scan, then oddly enough (or maybe not so oddly, to someone more knowledgeable) the vast majority of things it turns up but doesn't feel are worth flagging are MID's in my collection.

 

Hi everyone,

A couple of weeks ago, KAV real-time (not on-demand) detected malware in some ADS (one by one) on my friends machine. I was able to scan and clear easily because there were only a handful of ADS on the machine to look at and make a determination. Had there been tens of thousands, (e.g. the KAV 5.0 scenario with iStreams), the problem would have been much more difficult. However, this begs the question of whether those ADS malware would have ever gotten on the machine if KAV was running instead of Norton. . Anyway, he is now running KAV sans ADS.

Rich

 

Rmus, I don't 'use the info' that my programs are checking, they check for trojans in ADS, and remove them. I don't need to know about ADS except that I was curious about what it was.

 

OK, thanks - I wasn't sure what you meant and just was curious...

-rich

 

I use Kav 5.0.325 and I have always used Kavs ADS. It doesn't affect my computers operation, it speeds up my on demand scans and if another malware tries to use the ADS Kav will detect it immediatly with the next on demand scan. Who knows if it would be detected without The ADS streams in use by Kav. Besides Kav didn't invent ADS, microsoft puts them in windows Kav just uses them.

 

Hi Peter and bigc,

There are many security vulnerabilities introduced by ADS, which have been discussed on other thread, that appear to be hardly offset by any performance improvements (especially if the default quarantine period of one year is accepted). Suffice to say, that Kaspersky' engineers have apparently reviewed the pros and cons of using ADS in their product and have ADS from version 6.

Rich