ADS Scanning

Discussion in 'other security issues & news' started by fcukdat, Feb 20, 2008.

Thread Status:
Not open for further replies.
  1. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    On the back of a question posed by OP on this topic with reference to ADS scanning>>>
    https://www.wilderssecurity.com/showthread.php?t=200921

    My perspective is that ADS has been utilized by attackers before to store/run their malcode so in a nutshell it's an area of the OS that needs checking as much as any other:thumb:

    I decided to test out some antimalware(AT/AS) engines to see where things were at.

    The 2 samples used have been widely distributed amongst the research forums and vendors alike.
    Rustock B is around 9mths old and is widely flagged at VT upload(27/32).
    ~VT results removed per site policy~

    Busky was collected around about a year ago and again is widely detected at VT(27/32)
    ~VT results removed per site policy~

    As illustrated in previous linked topic SUPERAntiSpyware detected(and subsequently removed) both trojans from ADS.

    As an Easter egg(kind of),i copied the ADS files using GMER into holding folder(Malware Samples) just to see if any of scanners could identify them when inactive outside of ADS.

    Here's latest GMER ADS capture when ADS is present:thumb:
    gmer.jpg

    First up today.
    spybot.jpg

    0 detections of any malware on system.

    Topic will edited/updated as results are gathered.NB if you have any AT/ASW/AV you would like tested then if it dose'nt cost me then i'm happy to test:)
     
    Last edited by a moderator: Feb 20, 2008
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    I have a question about something I don't understand about your screenshot of GMER and one of the VT-links,
    ~VT results removed per policy~
    It's about that Busky malware.

    In the GMER screenshot I see ext.exe
    In the VT-screenshot I see exe.exe

    Could you please tell some more about that?
    Thanks.
     
    Last edited by a moderator: Feb 20, 2008
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Oops, my apologies to Bubba for that VT-link; my fault!
    Sorry Bubba !
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    Thats my bad eyesigth for ya.
    When using either IceSword or GMER to copy files they open up the save box dialogue which is blank.I fill in the missing file name and well that is error on my behalf not GMER/IceSword etc.The copied file has been incorrectly renamed so well spotted:thumb:
     
  5. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Next software tested is Adaware2007.This botkiller has the option to include ADS scanning:thumb:

    adaware.jpg

    adaware2.jpg

    Some strange quirkiness from this botkiller as it detected the inactive ext.exe file in holding but failed to detect it loaded into ADSo_O

    Anyhow it detected the service load value for the Busky bot which on reboot affected a killshot to the active malware as it did'nt run yet as observed the ADS was still left insitu if inactive:cautious:

    Adaware log is attached to confirm this and Rustock B was merrily spamming away unmolested:'(
     

    Attached Files:

  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    OK, I have bad eyes myself, so I understand.

    Some questions:

    1.
    Shouldn't that copied file still have the same name (for proper testing)?

    2.
    What is the test environment (for example: is your Process Guard disabled?)?

    3.
    My English is not good enough to understand this what you posted about Ad-Aware:
    "Anyhow it detected the service load value for the Busky bot which on reboot affected a killshot to the active malware as it did'nt run yet as observed the ADS was still left insitu if inactive".

    4.
    Are all nasties, that put their nasty load in an ADS Stream, also doing it on non-ADS? Or at least the tested nasties? How, when? Are you giving info about those details?

    5.
    What exactly is the purpose of your testing?
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    In the case of svchost.exe:ext.exe the filename should be ext.exe
    & System32:lzx32.sys is lzx32.sys.
    The ":" denotes the ADS and is not a recognized file symbol should you use the whole ADS address as a filename.

    Protection is switched off.

    It detected the service created by Busky inorder to run the malcode when the system starts up.
    It detected the inactive *copied* file of the trojan in the holding folder.
    It failed to detect the trojan that was active in ADS.
    By removing the service value for the trojan it prevented the trojan from starting but still left the ADS stream containing the trojan intact.

    Both trojans soley run from their respective ADS hiding places.

    The files in the holding folders are inactive copies for referencing and as in the case of Adaware have demonstrated a rather unusual bug.The question is why if the software is scanning ADS did it fail to detect the ADS loaded trojan yet could detect the identical(copied) file when it is inactiveo_O

    That was stated in my first post but for your benefit again
    HTH:)
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I recently myself been experiementing with Alternate Data Streams and it isn't any wonder why they are included in full malware payload attacks.

    By using the simple TYPE c:\anyfile.exe > c:\windows\system32\calc.exe:anyfile.exe for example scripting or batch files can easily activate these sub-space activities/actions and proceed to carry out whatever design is been planned for disruptions etc. I used a simple rubberball.exe amusement app i planted in the %systemdrive% and seems any file once launched turns loose the attached ADS planted executable at once too.

    ......as further explained in this security article http://www.windowsecurity.com/articles/Alternate_Data_Streams.html among many more of course.

    In fact although i yet to confirm it, it's likely possible to unregister a few dll's to disrupt vbs/js.dll scripts that are needed to open system restore for common basic users who still rely on those $M recovery/rollback systems since i experienced a similar event that had me scratching my head untill i researched some articles on it.

    Hence ADS are another one of microsoft's debacles that they left wide-open to be easily exploitable.
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Todays testing.

    a2 free(3.1)

    No ADS scan option so deep scan selected.
    a2.jpg

    a22.jpg

    The 2 inactive files are detected but the ADS active files are not detected.
    My concluusion is a2 does not incorperate ADS scanning into their engine:ouch:

    AVG ASW free.

    ADS scanning enabled:thumb:

    avg.jpg

    avg2.jpg
    Busky is sucessfully detected and deleted from its ADS:thumb:
    However Rustock's hidden driver is undetected.
    Since the botkiller flags the inactive copy of Rustock i can only conclude that it's scanning engine is incapable of detecting Rustock trojan when it is active.
    Scan log attached.
     

    Attached Files:

  10. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Todays testing.

    CounterSpy 2.5.1043

    **Due to update bug i was unable to upload to current detections file.This has no bearing on the testing as both malwares are in the default database on installation:thumb:
    CS has no option for ADS scan so full scan was selected.

    cs2.jpg

    CS.jpg

    Both inactive files were detected and a sucessful detection of Busky in ADS:thumb:
    CounterSpy is blind to loaded Rustock
     
  11. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Hi fcukdat,

    I appreciate all the efforts you put in to your testing,
    interesting results to say the least between all of these
    programs.

    I am really curious to find out on a clean system the
    effectiveness of these programs with real time protection
    enabled to block installation of malware.

    Look forward to seeing more of your tests.

    Wake
     
  12. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    I second both of those. Thanks fcukdat
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    OK ;)

    ADS Streams are nothing new.
    TDS-3 (for example) checked them already many years ago.
    See for example the screenshot in my posting in the old "Basic configuration" thread on August 2002.
    https://www.wilderssecurity.com/showpost.php?p=19439&postcount=5

    The thread title confused me a little bit after I saw test results coming...

    As for testing procedure, I might have my own thoughts about that...

    Nevertheless, I applaud your effort and am looking forward to more to come ;)
     
  14. controler

    controler Guest

    fcukdat


    When Gmer saves the file is it still attached to the originl file or has it been removed? Example attaches the stream to svhost.exe.

    Also did you try Hijackthis? I think it is suppose to find those streams also.

    Back in the day RAzor created a program for those pesky things.

    Hey FanJ I remember TDS-3 having that option but I never really ever seen any on my computers.

    I don't think anyone made a big deal out of it until Kaspersky started using them to tag all files on yur hard drive.
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi C.

    GMER ADS flag will copy the file from the stream and not what it is attached too:thumb:

    View attachment 197874

    I will test HJT ADS scan when i get time:)
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    In my own research i intend to fashion a vbs file to launch from an alternate data stream while at the same time firing off the START whatever.vbs/.bat from command line which is whats required to launch the ads attached to a system or other file.
     
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
Loading...
Thread Status:
Not open for further replies.