Hips and ADS

Discussion in 'other anti-malware software' started by _kronos_, Feb 14, 2009.

Thread Status:
Not open for further replies.
  1. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Hi guys!
    Can you suggest me an hips with ADS detection? This is not a simple feature to find in a hips.
    I know that only MalwareDefender and D+ are able to intercept this kind of behaviour.
    None else?


    Thanks;)
     
    Last edited: Feb 14, 2009
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This is just the terms matter. Some vendors claim they do "this and that", but then it apperas they do the same other vendors do without the claims.

    But could you clarify what do you mean ?

    ADS makes (wiki):

    Active Directory Service or Active Directory
    Advantage Database Server
    Airforce Delta Storm
    Alternate Data Streams
    Applied Digital Solutions
    Ardrossan Harbour
    Astrophysics Data System
    Attention Deficit Syndrome
    Automated decision support
     
  3. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    sorry if I wasn't clear:D
    I mean Alterante Data Streams..

    regards;)
     
  4. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    mmm...i saw the eqs ruletopic (alcyon's ruleset) that he has made a custom rule for eqs so that it can handle ADS..you could take a look there.
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Aha :)

    I think there is no need for special ADS treatment. To create ADS you need to call the same NtCreateFile and to run a program from ADS you need to call the same NtCreateProcess(Ex) or NtCreateUserProcess. The files from ADS do not differ from the "normal" files, the only difference is standard shell (explorer.exe) and other "comanders" do not show them. Though, it may have difference (IMHO) when doing scan. I'm afraid not every scanner scans ADS.
     
  6. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    You'll find Alternate Data Streams rules in my latest ruleset (v1.49.0213). Four rules for file protection and two for applications (in low and high priority sections).
     
  7. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hello all, hello :thumb:Kronos,

    I have:

    # HiJackThis/Open the Misc Tools section/OpenADS Spy ...

    # GMER/on GUI: ADS box ...

    # Usec RADIX/File System/Check for Alternate Data Streams

    #KX-Ray/Data Streams

    # Hazard Shield/Tools/ADS Scanner


    That's enough?:argh:

    Yours PROROOTECT Submit Reply
     
  8. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This my my test with ADS and OA. That is to say OA never claimed it supports ADS, but here we see OA HIPS treats ADS like any other file (and I think other HIPS do the same)
     

    Attached Files:

    • 03.gif
      03.gif
      File size:
      15.9 KB
      Views:
      758
    • 04.gif
      04.gif
      File size:
      17.6 KB
      Views:
      760
    Last edited: Feb 14, 2009
  9. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Thanks Alcyon!;)
    However I find unconfortable to use EQS under LUA (I tried Surun, but I don't like that setting) :'(

    I will try your last ruleset in my VM..maybe against some hidden threats:p

    ahah
    Regards!
     
  10. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Hi PROROOTECT!:)

    Thanks for the suggests, but i was looking for an hips software that was able to monitor ADS too...not other complementary software:D

    Regards!
     
  11. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Thanks:D
    This is the same for the free version?

    Not all the hips are able to intercept this behaviour..I try SSM Pro, Real Time Defender, Malware Defender, D+ with a rustock (winsyst32.exe)...
    only MD and D+ find ADS..the other no (they alerted me for the registry modification...and were able to block the infection when the winsyst32.exe try to load the driver lzx32.sys, none alert for ADS)

    Regards;)
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    GeSWall protects against ADS, no extra rules needed, protection out of the box
     
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    I didn't read this whole thread but did briefly run across some replies so i just want to echo the fact that if you happen to have EQS 3.41 and at least up to v4/ Beta 3, Alcyon fashioned a very solid and useful ruleset for ads.

    It can stop any ADS from either being created or if already there, stopped from running ever again at all.

    The reason i know this is i made an alternate data stream that i added to both notepad & calc then made a vb script & batch file to easily run them. I used my ads to run a simple .SWF file and a .exe, both safe programs to see exactly how easily executables can be run in this manner. I even added them to my startup folder to confirm how malware could duplicate for more malicious purposes.

    Alcyon's Rules that he generously made which are easily imported if adding separatedly block them perfectly, no way around it.

    EASTER
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Can't say for sure, but theoretically it should be the same. Free version doesn't support antikeyloggers, but is the same secure in the rest as the full version. I'm not sure about Rustok, but as far as I know Rustok uses DDA to infect a system. Would you be kind to share winsyst32.exe ? Then I could say more :)
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Best ADS detection is by CFP and TF.

    See the example below. They specifically alert you about ADS creation. :thumb: :thumb:
     

    Attached Files:

  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The problem is this doesn't actually mean bad behavior. Some legit apps, for example KIS, use ADS for their own purposes.

    But I agree, the fact something tries to create a file in a stream could be highlighted. Request is sent to Mike :)
     
  18. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Well...If you are installing something like KIS , you should expect a such popup(probably neither in that case since one would probably want to do that in learning mode) , since not any other every day apps that i know of use ADS..and KL had their share of complaints for using it.
     
  19. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Since when were HIPS designed to block bad behavior?

    They can't tell whether an action is good or bad. They block everything; period. It's strange that you should think that them doing their core task is a problem.
     
  20. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    He is referring to the screenshot post that aigle made mate :) D+ gives a short description in the end (this is not a typical app behaviour , style ccomment)
     
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    NTFS alternate streams are documented, so their usage is quite legal and not malicious. Thus happened that malware uses it to hide itself from explorer, but this doesn't mean ADS usage is illegal.
     
  22. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Most certainly it is.Never stated the opposite..Just uncommon.and the KL comment was because IIRC they used ADS to store the iswift technology scan "implants" to make scanning times shorter..couldbe wrong though,been a few years that i read about it.
     
  23. wat0114

    wat0114 Guest

    This article on ADS written in 2006 may be of interest. The way I see it, the creation of the ADS file (eg: a malicious executable hidden behind a harmless text file) should be of less concern than the actual launching of the malicious file, in which case it seems as though the "Start" command is required.

    Since all HIPS can monitor cmd.exe, there should be no cause for alarm. Maybe I'm missing something, oversimplifying things, but I don't see a problem.

    I see examples in posts #8 & #16 where programs are detecting the creation of ADS files, but how is this the harmful action? Wouldn't the launching of the hidden executable be the real concern?
     
  24. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    maybe a bit off topic but i think SAS has an option to scan for ADS.
     
  25. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
Loading...
Thread Status:
Not open for further replies.