Did Symantec’s WMI update cause ADS hidden stream alerts?

Discussion in 'Trojan Defence Suite' started by rie, Aug 17, 2004.

Thread Status:
Not open for further replies.
  1. rie

    rie Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    19
    I got Symantec's WMI update last week and wonder - could it be responsible for TDS alerting on four ADS hidden streams? It's never alerted to these before. After getting the update I did a TDS scan, it alerted, and it's never done that before. Something changed, but what? I understand they're probably all fine, and I should just set TDS not to scan ADS files under 128 bytes. But what made it suddenly alert over these files, haven't they always been there? I know the parent files have always been there.

    *One stream (124 bytes) is larger than its parent file (77 bytes). Is that okay?
    *Two stream file sizes match each other at 88 bytes each, the other two are also identical size, 124 bytes. Okay or strange?
    *Those numbers also match the first bulletted item - do they always have numbers like those, or is it kind of weird that they all seem to mix n' match each other?

    They’re not newly created files, they're things like a desktop.ini in one of my folders, and some quick launch items. TDS has scanned the parent files many times..
    Something changed, and the update from Symantec was the only new thing added to the computer, plus the TDS updates received from TDS itself before the scan that returned this stuff.
    My question - 1.) Is it possible the Symantec WMI Update did something that now causes TDS to alert to these files? 2.) Any reason to worry?

    I have XP Home, NIS 2004.
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Sounds fine, data streams are of course no problem

    Its when you have an executable in a stream that its a stealth job. TDS-3 detects any MZ binary file hidden in a stream - and if it's a trojan, ID's it

    You should go to Scan Control > ADS Stream Options and ignore streams smaller than 128 bytes for best results
     
  3. rie

    rie Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    19
    So it's a good thing that it said "Mz Exe Unknown"? I found and read the TDS page on hidden streams. It's not possible for a file smaller than 128 to house an executable - do I have that right? Live and learn, I'd never even heard of these before. :)
     
  4. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    ADS is a little known feature of the NTFS filing system that, I suppose, we will be hearing more about now that the scumbag Trojan writers have discovered them. ADS was originally created to make Windows more compatible with Apple, or vice versa, I forget. Poor Microsoft gets blamed for many of these features but in reality the features that MS put into Windows were originally meant to enhance our surfing experience, it's just that the bad guys figure out new ways to use them to their malicious advantage, just witness AutoComplete, File Sharing, Cookies, Messenger, ActiveX, scripting, etc. (Of course, I suppose MS can be legitimately blamed for all the "holes" everyone is always finding). There are only three products that I am aware of that search the ADS: TDS, TrojanHunter, and the new AdAware (Advanced features). Good luck.

    Acadia
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re: Did Symantec’s WMI update cause ADS hidden stream alerts?

    Well, in theory, executable code can come in below that threshold - only it would have to be a *.com, not an *.exe file and that already brings some restrictions. Considering the small size allowed, it actually wouldn't be able to accomplish very much at all. (Say, enough to erase your harddisk, but not to do anything that communicates over TCP/IP, i.e. the internet. :rolleyes: But this makes it an issue for a virus scanner more than an anti-trojan scanner. And I would think the threat level is very low. (Not much the author can show off with...))

    If that's not right, I'm sure someone will come along and correct me or explain more or other details.

    HTHH,
    Andreas
     
  6. rie

    rie Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    19
    I want to make sure this is right.
    I excluded ADS under 128 from being scanned and they no longer appear in the "Alarms" window at the bottom of the console. But, they DO show up, with descriptions, in the top window portion of the console. (In the place where it shows things like (for example) "14000 files scanned, no alarms.") It put all the info on the ADS in that top section. See, I worry about it no matter where it's displayed. It's set to Not Scan, but it does scan, and does report.

    Well, whatever...don't care as long as it's alright that their results now showing on the top part of the console.
    They are not "out of sight, out of mind," if you see what I mean.
     
Thread Status:
Not open for further replies.