Will TDS show the "Aflooder" stream..

Will TDS show the "Aflooder" stream - and will it allow you to totally obliterate it? Without having to obliterate the system file (System32) that it is contained within?

Please reference this thread: http://www.dslreports.com/forum/remark,7833748~root=security,1~mode=flat~start=40#end (specifically, "golfhou"s post therein).

 

Because it is a stream, TDS will detect an EXE in a stream - this is untested but I dont see how it could hide from the stream detection in TDS

I have a copy of what seems to be this and will be adding detection shortly, it seems to be from adware or spyware ? I dont have much information on it however it does open a connection to an irc server and will be relevant for detection.

I dont think the parent file is legitimate from what I've read though system32.exe is not a MS file and is a common filename used by trojans to LOOK real.

 

Okay, you'll be adding detection for it and that's good.

However, I'm kind of wondering if anything in TDS's "NTFS detection" will block the infection in and of itself.

IOW,

( a ) Is stream detection real-time when Exec Protection is installed?

Or

( b ) Does TDS just detect streams when you run a scan?

If stream detection isn't real-time when Exec Protection is installed - shouldn't it be made to be, given the characteristics of this new malware?

And, if you make stream detection real-time, couldn't it be made to block execution of any stream containing an exe until after it throws up a warning?

We're probably going to be seeing more of these kinds of attacks (involving streams) - and judging by this one, they're all going to be a major PITA to remove after being infected.

Can TDS get it to the point where we don't have to worry about stream infection before it happens? Pete

 

In case anyone is wondering what this is all about, here is some more reading: http://www.spywareinfoforum.com/forums/index.php?act=ST&f=11&t=10456

Regards,

Pieter

 

Exec Protection doesn't detect streams as streams, it just detects/stops code to be executed, the source is not important.

All scanning modules just detect what needs to be detected.

Dolf

 

Hi guys,

Being a TDS3 user myself and having an XP-Home (NTFS) pc....this thread has caught my attention since it is discussing the "NTFS Alternate Data Stream detection", which i am still trying to fully grasp and understand. Also, this AFlooder thing....new malware...and how this new malware will be detected, has me concerned a bit. i would really like to know how the detection of this happens.

Gavin, you said such detection has not been tested yet. (Hoping i have not misunderstood you)..but is there any possibility it can be tested and explained to us? (screenshots are always appreciated by us users still learning about these things)

Dollefie, hi'ya Where you said:

i may be wrong, but i would think it would be, would it not? i sure would want to know what and where the source of something detected as malware was hiding, and remove/delete it if possible.

Thank you for your comments...they help me and others greatly!

snap

 

Exec Prot just blocks code from executing: streams, executables, dll's, scripts, whatever, when it has detected it as malware. It is then up to you to scan and remove that code from your system. Look at Wayne's answer on the same question here:
http://diamondcs.com.au/forum/showthread.php?s=&threadid=1729
(if you have signed up for the TDS private forum)
Dolf

 

The answer to every question you've ever had about NTFS Alternate Data Streams - http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
Perhaps the most comprehensive page on the subject anywhere on the Internet. If there are any questions it doesn't answer, please email me your question(s) at wayne@diamondcs.com.au


*repaired URL tags*