Alternate data streams

Discussion in 'Trojan Defence Suite' started by Malikai, Mar 6, 2003.

Thread Status:
Not open for further replies.
  1. Malikai

    Malikai Registered Member

    Joined:
    Mar 1, 2003
    Posts:
    4
    Hello all,
    Just got my registration keys for TDS, Port Explorer and Wormguard :D
    I updated all my files and did a full scan with all the boxes checked. The results were two files with alternate data streams. The files were called thumbs.db:Encrypted When I tried to delete them through TDS it said it could not because the file is in use. When I viewed the ADS in notepad it was blank and when I extracted it to a file it was an .EXE of 0 bytes.
    I booted up in safemode/command prompt to try and remove the files and they could not be found? I went back into windows and the files were not in the directory and I have nothing hidden. I ended up deleting the whole directory and this seemed to work.
    My question is, does this seem suspicious or am I being paranoid? I am convinced I have a trojan on my system (Had Probot SE but removed it) but TDS, Pest Patrol and the cleaner find nothing when I run full scans now. Having port explorer has made me even more paranoid because I still am not sure what is supposed to be ok o_O
    Is there a way to tell if a trojan is using Outlook to send info?
    Any thoughts or similar experiences would be appreciated.

    Regards,
    Malikai
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Malikai,
    i can feel your fear after such infections. You did not find any of the files i posted the other day belonging to that nasty keulogger?

    What happens if you set your Outlook to keep a copy of every sent email and is there an option to alert if any email without your doing it would be send out?
    (Outlook Express has such a blockage).
    Socket spy would show you any connection made, especially the new version with the logging will be really handy if you also try to put all your email sockets under spying and add all hidden sockets PID manually to that (on my system works better that way for the hidden sockets).
    Your firewall should be an extra alert for outgoing connections you can block.
    You did remove the file and used the cleaning tool, searched for all those files mentioned and the registry, you've been looking for the logs and maybe the directory with the uninstall tool. You could of course get the download and only look in the helpfile what to look for, but i would not advise to do this, as you never know if the stuff could somehow bring you in danger too.
    Think yopu have done what you could, including online scans, used pest patrol maybe too? and spybotS&D is a very nice detector too if you put every option on, what more can we think of? Would be nice if you would have seen a log to find out whom infected you and if anything was sent out and to whom.
    REally hope you'll soon be in conditions of trusting your system again and enjoy internet.

    If possible you can try to grab those empty files, zip and submit them to DCS for their opinion. As they looked emopty for you in notepad they can have been innocent indeed, maybe control files from your AV as i've read happens more often.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Alternate Data Streams are really very interesting things. DCS has a page that describes them here:

    http://www.diamondcs.com.au/streams/streams.htm

    The sad thing (or good thing depending upon your perception) is that WinZIP does not support streams, (unless they added that support recently), so zipping a file that may have a stream attached to it will not actually capture the stream.

    That said, I still wouldn't worry about this. There are many good uses for alternate data streams. They can store all kinds of file information, and I have heard of ADS being attached to thumbs.db files before.
     
  4. I_lack_commonsense

    I_lack_commonsense Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    44
    I read awhile back ago that thumbs.db was used by Windows as a means to cache thumbnail pictures, so most likely the location of thumbs.db is in a folder where you have image files. I trialed one of the newer versions of TweakXP pro and they have an option to "disable the thumbnail cache," after disabling it you will no longer have thumbs.db on your computer. Since TweakXP can do it... there is obviously a reg edit for it... http://www.winguides.com/registry/display.php/994/ . But like LWM mentioned, there are good uses for ADS too.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Streams are being used by a lot of legitimate apps now, so we recommend users go to Scan Control > ADS Stream Options and ignore streams smaller than 256 bytes.

    This way, larger streams such as an EXE (trojan) or VBS etc. in a stream will still be detected, but "tags" added to files will not be shown :)
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Gavin - (Hope I can phrase this intelligently enough to get your attention).

    If you read this link: http://www.securityfocus.com/news/2879 , part of it says this: "Slanret is technically just one component of a root kit. It comes with a straightforward backdoor program: a 27 kilobyte server called "Krei" that listens on an open port and grants the hacker remote access to the system. The Slanret component is a seven kilobyte cloaking routine that burrows into the system as a device driver, then accepts commands from the server instructing it on what files or processes to conceal."

    Okay, so my question and concern here is this: Do Slanret and/or Krei generate streams?

    Or, are Slanret and/or Krei detected already in the TDS database as long as exe protection is running? Pete
     
  7. Malikai

    Malikai Registered Member

    Joined:
    Mar 1, 2003
    Posts:
    4
    Luckily I did not find any of the files mentioned by your post. I've been over my computer with a fine tooth comb trying to find any sort of log file but as of yet have not been succesful. I tried all your suggestions and it looks clean I think I am just being paranoid because of my lack of knowledge regarding trojans. I'm going to try and learn everything I can so that hopefully I can contribute back to the group one day.

    Thank you for all your help :)
     
  8. Bruce9090

    Bruce9090 Guest

    I too have found an Alternate Data Stream with a host called MZ.exe, cannot delete them, they say there in use. Did a Google search for MZ.exe and it seems associated with the Millineium. backdoor (Very detailed post). OK so how do I get rid of it?
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you able to zip it and send it over to Gavin?
    submit@diamondcs.com.au ?
    Does it show in the TDS > System analysis > Process list
    or in the windows taskmanager?
    If so, are you able to kill such a process?
    Is it possible to delete it then?
    Look if it is not in the autostart, for after killing and delete possible autostart keys and maybe even registry keys it should not be there at all after reboot if you can't delete if after killing the function.
    In a worse case it would be reboot in safe mode and delete it from there if you can find it back.

    Hope this helps!
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Bruce, Can you tell us the size of the hidden stream please?
    I have TDS set not to include any non ececutable streams and those under 90 bytes:
     

    Attached Files:

  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    It sometimes amazes me how long some of my questions just sit there.

    Were the two I asked in my post above un-answerable, or what? Pete
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    > It sometimes amazes me how long some of my questions just sit there.
    > Were the two I asked in my post above un-answerable, or what? Pete
    If you absolutely require an answer to a question from a vendor, forums aren't the way to go - always email the vendor directly, as forums are more for responses from other users rather than from the vendor themself so it's a bit of a hit-and-miss affair - sometimes you'll get a response from the vendor but more often than not you'll get a response from other users. Due to time constraints it's simply not possible for us to read and respond to every forum thread, but we certainly read all of our email, and as you've seen from the past we're more than happy to help people with questions about our software when they email us :). So please don't get impatient about us not responding to a forum post - simply drop us an email with the thread URL and we'll get you an answer as soon as we can.

    > Do Slanret and/or Krei generate streams?
    Not as far as I'm aware, but Gavin can provide a definitive answer.

    > Or, are Slanret and/or Krei detected already in the TDS database as long as exe protection is running? Pete
    They're detected, even without exe protection.

    I've dropped Gavin an email so he'll add to this further tomorrow (Saturday). :)
    If you have anything else to ask regarding this trojan, now is a good time to ask

    Anyway, enjoy the weekend
    Wayne
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, Wayne! I'll be looking forward to Gavin's response, too! Pete
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I haven't been sent a sample of this trojan, and dont know who other than Symantec have it. It is a rare one, but for the questions..

    ADS no I dont think any stealth trojan would use streams now that TDS and others detect them

    Detection of any rootkit style trojan should be possible, as stated in the other rootkit thread we have many ideas for TDS-4 and are trying hard to get things done as soon as possible :)
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes - Krei is detected and is a standard rootkit EXE / SYS style trojan. It has nothing to do with streams :)
     
  16. controler

    controler Guest

    Just to clarify

    the bruce9090 that posted here about MZ.EXE in April is not me. LOL

    I never come as a guest :)

    Bruce
     
Thread Status:
Not open for further replies.