Can/Does NOD scan Alternate Data Streams?

Discussion in 'NOD32 version 2 Forum' started by flyrfan111, Oct 16, 2004.

Thread Status:
Not open for further replies.
  1. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Does NOD scan ADS? Does it detect the Comxt Trojan?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Not to my knowledge. (Personally, I want no entries in my alternate data streams from any program :) )
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I don't either but read this quote from the Internet Storm Center's site;

    The Comxt trojan and the use of NTFS Alternate Data Streams

    The Comxt trojan is somewhat unusual in that it uses NTFS Alternate Data Streams (ADS) to hide its presence in a directory. Although this is not the first such malware specimen, the use of ADS for hiding malicious executable code is not yet widespread. More information about the Comxt trojan is available at:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.comxt.html

    If you have a copy of Comxt, and don't mind sharing it with us, please send it our way. To learn about ADS take a look at the Hidden Threat: Alternate Data Streams article at:
    http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

    The article mentions several tools that can detect the presence of ADS on your system. In addition, you may want to check out the Stream Shell Extensions utility that Ryan Means created as part of his GCWN practical write-up on the topic. Ryan's utility adds a "Streams" tab to Windows Explorer when you look at a file's properties; the tab allows you to view and delete streams hidden in the file. You can access the utility and the paper at the following URLs:
    http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip
    http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf

    Note that anti-virus software varies in its ability to detect malware in ADS. When fellow handler Ed Skoudis tested anti-virus products for his June 2004 Information Security article, he found that only "Network Associates detected malware in ADSes during both on-demand and real-time scans with its default configuration... Default real-time protection against ADS-borne malware is also provided by Computer Associates (CA), F-Secure, Grisoft, Panda Software and Sophos." (http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art803,00.html )
    Notice that NOD is not one of the programs listed to be able to detect virii in ADS streams.
     
  4. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Very interesting article. However, AFAICT, NOD was not tested http://infosecuritymag.techtarget.com/images/2004/jun/bakeoff6_04.pdf
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    If you read the article you will see that Eset DECLINED to submit a product for evaluation.

    A quote from the about this review page;

    Information Security tested 10 enterprise desktop AV solutions for attack evasion, resilience and the ability to detect malware other than viruses and worms, such as backdoors, spyware and *nix attack code. In computing our final grades for each product, we put particular emphasis on each product's enterprise management tools.

    Specifically, we tested:

    * Computer Associate's eTrust Antivirus 7.0
    * F-Secure AntiVirus 5.42 and Policy Manager Console 5.5
    * Grisoft's AVG Anti-Virus 7.0 and AVGADMIN 7.0
    * Kaspersky Labs' Anti-Virus Network Control Centre 4.5.0
    * Network Associates' McAfee Active Virus Defense Suite 7.1.0
    * Panda Software's Panda ClientShield 1.91.01 and Admin Secure 3.01.01
    * PestPatrol Corporate Edition (Engine 5.5.2 and Management Console 1.0.0.7)
    * Sophos Anti-Virus 3.78
    * Symantec's SAV Corporate 9.0
    * Trend Micro's OfficeScan 5.5


    Central Command, Eset Software and Microsoft declined to participate. F-Prot didn't respond to our invitation. Gordano responded to our request for products but didn't fit our criteria.

    editted for spelling.
     
  6. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I just tested my setup by placing the EICAR signature in a stream, and it would appear that NOD32 2.12.2 does not detect it. Great question and good find flyrfan! Eset needs to add the ADS scanning functionality.

    If you wish to test this functionality for yourself just open a command window and type "echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > eicar.exe:stream". This will create a file called "eicar.exe" that appears to have zero length, but in reality does have an alternate data stream called "stream". You can verify that there is, in fact, data associated with the ADS by typing "more < eicar.exe:stream". You should see the original eicar signature once again. It is possible, I suppose, that NOD32 purposely ignores EICAR anywhere but in the main data stream and still scans other streams for truly malicious content... but I sort of doubt it. I think that the EICAR signature should be detected in any and all data streams.

    [Edit: Nevermind. I will still need to do some tests to figure out how to get this to work properly. I just tried using the above instructions to put the EICAR signature in a normal file, and it didn't get detected either. Yet, if I use Notepad to save the EICAR signature to a file it does get detected. Perhaps I need a carriage return character in there or a proper end of file (EOF) character in there or something. For some reason I just can't create the correct signature using the " echo > {file}" command. I will keep working on this to test it out.]
     
    Last edited: Oct 16, 2004
  7. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Ok, after a little more testing I still don't think that NOD32 is checking the alternate data streams. It seems that in my earlier command the "...(P^)7C..." sequence was seen as containing an escape character and the '^' would get stripped out. Also, in my earlier vesion the space between the EICAR signature and the file redirection '>' character I guess would get saved and mess up the signature as well. However if you try the following commands, you should be able to replicate my new tests:
    • echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*> eicar1.exe

    • echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*> eicar2.exe:stream
    Now, if you run NOD32 against the directory containing both of these files, you should get the result that eicar1.exe is flagged as the "Eicar test file" and eicar2.exe shows nothing.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I agree NOD needs to detect this, that's why I started the thread. Hopefully we will see how much attention this gets when Eset gets back to work tommorrow. In all fairness though, it seems not a lot of AV makers scan ADS either. Network Associates is the only one to scan them in real time and on demand. This is a great oppurtunity for Eset to show it's Mettle so to speak. Even KAV doesn't detect it with on access scanning, only with on demand. Let's go Eset!
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  10. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    bump

    I'm sure many are intrigued by this...
     
  11. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes but apparently Eset has no interest in the subject. They don't respond here, and they declined to submit NOD for testing in the article as well. I guess it is time to go back to Panda.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have sent a PM to Jan asking for a comment on this subject.

    Cheers :D
     
  13. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Thanks Blackspear, once again you help out as you almost always do. While I certainly appreciate the efforts you present here even when I do not have the problem with my system, I have noticed that you seem to push Eset into helping where they don't do it themselves, I disapprove of the fact that you do have to prompt them on certain issues that do affect the security of it's users system. I feel that they should have responded to this thread with atleast a .... we are looking into it..., as well as a few other currently running threads and yet they continue to ignore some serious issues that are being raised or asked about. Please excuse my venting frustration and definitely continue to do the GREAT work you are doing to help the members of this forums. Thanks again.
     
  14. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi flyrfan111,

    >Can/Does NOD scan Alternate Data Streams?

    The on-accesss (AMON) does, the on-demand does not.

    Rgds.,

    jan
     
  15. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    OK, any plans on including the capability to scan ADS? I presume that to mean the Comxt Trojan mentioned on Internet Storm Center's website can not be detected by NOD then correct? Does your answer mean the on demand scanner does?
     
  16. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    This is a great post Flyrfan111. I was not aware of this. :oops:

    I have a firewall that monitors md5. I guess that would come to play in this.
     
    Last edited: Oct 19, 2004
  17. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    md5 is only a checksum check basically, so if the file was originally saved with a malicious ADS stream the checksum would always be the same and yet the file would still be malicious. While this would protect you from files being altered, it would not be of value with a file that was created to be malicious. That is the purpose of md5 checks, trying to detect files that were altered or another file impersonating a file that is granted access, md5 would do very little to detect or protect from a malicious ADS stream.
     
  18. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Thanks. That makes sense.
     
  19. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Andreas Marx from AV-test.org also published a test on this topic. Unfortunately, It is in german, but the summary is available here :
    http://www.heise.de/security/artikel/52139/2

    The versions of the AVs tested are sometimes different from those of Ed Skoudis test (that focused on "Enterprise" versions). Also, I do not know (I can't read German) if "best settings" or "default settings" were used. According to this test:
    AVK, F-secure, KAV (5.0), McAffee and Norman are able to scan ADS in both on-access and on-demand modes whereas Bitdefender, FProt, Norton (2004), Trend and Ikarus do not scan ADS at all.

    All other tested products (NOD, but also Antivir, AVG, DrWeb, Command AV, Panda, Sophos, eTrust) provide a partial protection (either on-access only or on-demand only).
     
  20. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
  21. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I suspect the KAV analysts may be unaware that there is at least 1 known trojan (the Comxt trojan) that uses ADS to hide it's presence on a hard drive.

    There isn't much available on this trojan on the Internet Storm Center's site, but for those interested and a good site full of information on internet threats and problems you should bookmark or regularly check the site. It's address is isc.sans.org

    Info on the Comxt trojan is in the Handler's diary section from Oct 15, although I pretty much posted all they had on it in an earlier post in this thread.
     
  22. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  23. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Hum. I think that Igor's statement is technically incorrect.

    We are not talking of the "default" named streams (#5SummaryInformation, #5SebiesnrMkudrfcoIaamtykdDa, #5DocumentSummaryInformation, #5Q30lsldxJoudresxAaaqpcawXc), here.

    We are talking of new ADS that can be added to the file through BackupWrite. I don't think that there is such a size limit on these,
    and I'm afraid virus writers would agree with me :
    http://www.viruslist.com/eng/viruslist.asp?id=4078&key=00001000050000800000

    And Eugene Kaspersky himself used to consider that handling ADS was important :
    http://www.viruslist.com/eng/index.html?tnews=1001&id=670

    Well. I think I have a trojan horse hiding in ADS in my small collection. I'll try to find it.
     
  24. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    I think you are right, Tweakie.

    Schouw (Senior Research Engineer, Kaspersky Lab) has posted on DLSR saying that:"Expert is right, Igor is wrong..."

    Experts post:
    Regards
     
  25. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Schouw, who is a senior research engineer with Kaspersky, just posted to my thread on Streams Shell Extensions at dslr and stated that Igor is wrong. KAV 4.5 and 5.0 scan ADS both in Real Time and On Demand. I'm glad he cleared that confusion up as I had just posted at IKON board and asked Igor about his statement as it didn't make much sense to me.
    http://www.dslreports.com/forum/remark,11624432~mode=flat#11637216

    Edit: I see you beat me to it Don! :)
     
Thread Status:
Not open for further replies.