Alternate Data Streams

Discussion in 'other anti-virus software' started by phasechange, Jul 15, 2006.

Thread Status:
Not open for further replies.
  1. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I had been pondering how well Alternate Data Streams are examined when I came across this article: http://www.cio.com/blog_view.html?CID=23011

    Care to comment on Alternate Data Streams for hiding threats and how novel this "rootkit" is? In addition how welll does NOD32, KAV, etc cope with this sort of threat and are old fashioned techniques still good enough when kernel mode execution is used? I should probably have posted this in Other AV (we don't have a "general virus" board do we?).

    Fairy
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    good thought and now it has been done ;)
     
  3. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Thanks Bubba :D
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Here's a few links which might interest you.
    ______________________________________________

    Analysis of hidden data in the NTFS file system

    http://www.forensicfocus.com/hidden-data-analysis-ntfs

    The full paper in a PDF is here

    www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf


    Nick Skrepetos of SUPERAntiSpyware has stated the following,
    _______________________________________________

    "Viruses and Spyware/Malware are converging in regards to the some of the methods used to install and/or hide. Viruses typically "attach" themselves to other files. We are finding several spyware/malware applications that are using the Alternate Data Streams to hide within files on NTFS volumes.

    As the detection methods of the anti-spyware applications get better, so will the ways the spyware/malware vendors use to hide and/or install."
    _______________________________________________

    Cloaking Technology of KAV, SAV, etc. Discussed

    http://www.dslreports.com/forum/remark,15234821


    StevieO
     
  5. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    The Forensic Focus article is very interesting. I also thought Nick Skrepetos is bang on about the convergence although there is also the question as raised by KAV5 of antimalware programs converging with malware and using similar techniques. Even malware mimics antivirus programs these days... with some malware fighting other malware.

    My main interest of course is the evolution of the response to threats. I am particularly interested in the differences between how different programs take different approaches to the same problems. Features such as KAVs Scan Startup Objects not being seen in NOD32 for example.

    Fairy
     
Thread Status:
Not open for further replies.