No ADS found in powershadow 2.6

Discussion in 'other anti-malware software' started by Horus37, Mar 12, 2007.

Thread Status:
Not open for further replies.
  1. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I've run 4 different ADS detectors on powershadow 2.6 dowloaded from the original powershadow.com website and can find no ADS associated with it other than what XP service pack 2 assigns to ANY internet downloaded program -

    This stream is called Zone.Identifier and contains the following information:

    D:\Tmp>more < TestZip.zip:Zone.Identifier
    [ZoneTransfer]
    ZoneId=3


    This information will show up on most ADS detectors. Yet I find no additional ADS from the installer from the website. Still don't know why the sizes between the download site at TUCOWS and powershadow are different. I wonder WHO put the file on the tucows website?
     
    Last edited: Mar 12, 2007
  2. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Horus37,

    Thanks for all the work. :thumb:

    I have the PS version 2.6 from the original site but according to yankinNcrankin, Assasin did identity ADS in that version ...

    So have you tried using Assasin to detect ADS?

    https://www.wilderssecurity.com/showpost.php?p=950273&postcount=3

    Cheers

    Chew
     
  3. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Yes I've used Assassin ADS detector on it as well and pointed it right at the file to examine it and the whole C: drive as well. Just finds ADS on some downloaded files in my documents folder and all the same size - 26 bytes on several files. I'm waiting for yankin to followup with how he determined that it had an ADS attatched to it other than what xpsp2 already does to it when it gets downloaded. Might be a good idea to contact the company in an email and ask them about the possibility of an ADS in the program but so far I can't find one.

    By the way if you download these programs from within firefox you don't get the xpsp2 zone ADS. Size 3,978,016 bytes 3,801,088 bytes on disk. = 3.62 MBs?

    Anyways I need more clarification on this and who put the file up on tucows.
     
    Last edited: Mar 12, 2007
  4. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    I think Meriadoc managed to email the company in China and received a reply so I should think that's the best place to ask? But need to write in Chinese though.

    I downloaded Assassin but have not installed it yet and yankinNcrankin assassinated the ADS wtihout problem. I am not sure if that was prior or after installation of PS.

    :)
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Chew! U can get reply in English from here within 24 hours. No Chineese needed.

    support@powershadowsecurity.com
     
  6. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    I think I used IE7 instead of FF (no script so download wasawkward) if I can recall.

    I will ask here first then perhaps the PS support to get the full details.:D

    Cheers

    Chew
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes, direct all support questions to the link in aigles post support@powershadowsecurity.com - my queries were before the english site was up.
    I dont know anything of the ADS, but tech is checking it.
     
  8. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Answer to the ADS zone identifiers etc etc etc all are detected as ADS. ADS are ADS whether it be safe or malicious in nature, for ADS to get attached to a .exe file through downloading is enough to raise an alert for me, I'll have no ADS on my box. However I use firefox latest version for all my browsing and downloading of files so I dont know why there was ADS on the .exe at http://www.powershadow.com/en/product.htm. So I can't be entirely sure if ADS was inside of the .exe installer or if I picked it up with firefox. I was trying to figure out why the Tucows version and the official site versions were different in size. That being said, Horus, zone identifiers are ADS even if its not malicious just so you know that. If possible could you paste that ADS zone identifier here I would like to see its contents maybe you can dump it or HEX thanks.
    I'm a DL the program over and figure this out for myself brb in a few.
    -
     
    Last edited: Mar 12, 2007
  9. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    So what are some other ADS scanners other then assassin?
     
  10. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I re DL'ed the program and ran Assassin and found no ADS so I don't know what to say. About a month ago I DL'ed the program and it had ADS in it and the only program that could detect it was assassin. Thats the end of my part.
     
  11. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Yes, I have emailed them regarding the different file size from two different sites plus the question about ADS.

    Now I just have to wait for their answer.

    :)
     
  12. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    By the way, when looking with a hex editor both files show the same version number: 2.60611, not 2.60511 show on the website.
     
  13. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328

    The ADS detectors I know of and used are Assissin, ADSspy, streams, and LADS. I found one called Sfind but haven't used it as it comes bundled with other softward from foundstone.
     
  14. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328

    Well I'll see what I can dig up on what gets sneaked into the ADS when you download in IE vs firefox. Evidently IE6 xpsp2 adds the ADS zone identifier if you download anything from the internet where as supposedly firefox doesn't. I have 26 bytes of info attatched to almost all my downloaded files from the internet and that is all that the ADS detectors find and I'm assuming it's from IE not any malicious thing. I'll soon find out. Might be some hidden bytes from using FDISR.
     
    Last edited: Mar 13, 2007
  15. EASTER.2010

    EASTER.2010 Guest

    Have you ask them yet if any progess is in the offing for exiting Shadow-Mode as well as the way it enters without a reboot? That's a version i know many of us would prefer and likely for them gain additional support.

    EASTER
     
  16. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    ako,

    Could you tell us which sites do they corresponse to exactly?

    Version no: 2.60611 belongs to which site? Original or Tucows etc?

    Version no: 2.6051 belongs to which site? Original or Tucows etc?

    Hhmmm ... o_O

    EASTER,

    I was thinking of asking that and making suggestion along those line but abandoned the thought as I did not want to complicate the matter.

    So unfortunately I did not ask them about future progress as I did not know who would be reading my email and just in case there is a language barrier.

    I hate to see them being put off by too many questions and to sit down with dictionary trying to understand my email.

    :D
     
  17. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    tucows-file: hex-editor gives 2.60611

    powershadow-file: hex-editor gives 2.60611

    www.powershadow.com says it should be 2.60511

    P.S. I do not understand this fuss about a possible ADS attached to the file. It is a curious fact, but it has nothing to do with security risks. Moreover, I do not see any, at least not with adsspy.
     
    Last edited: Mar 13, 2007
  18. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ ako

    Hi, you said (I do not understand this fuss about a possible ADS attached to the file. It is a curious fact, but it has nothing to do with security risks)

    Here's just one example of why people should be concerned about ADS in NTFS partitioned disks.


    Linkoptimizer a.k.a. Gromozon

    The downloaded malware, when executed, installs

    A rootkit

    Various files hidden through ADS (Alternate Data Streams)

    Random files encrypted using EFS

    Linkoptimizer (hidden by a rootkit)

    Once you got infected, Linkoptimizer downloads other Trojans, adware and installs other spyware applications, pop-ups several IE pages which redirect users to other malicious websites as well. With all of these installed, the machine is nearly unusable and really tough to clean up. You can easily find a machine infected by Linkoptimizer hosting more than 10 or 20 different malware.

    http://216.239.59.104/search?q=cach...ternate data streams&hl=en&ct=clnk&cd=1&gl=uk


    @ travellinman

    Here you go.

    Streams - http://www.sysinternals.com/Utilities/Streams.html

    NTFS Streams Eraser - http://www.excessive-software.eu.tt/ - NTFS Streams Eraser is a limited GUI (Graphic User Interface) application for program Streams by Sysinternals.

    ADS Spy - http://www.spywareinfoforum.com/~merijn/ - also ADS Spy is integrated into HJT HijackThis. This is a very nice comprehensive tool which can really help in Malware infection analysis/detection etc, and is also Free.

    LADS - List Alternate Data Streams - http://www.heysoft.de/Frames/f_faq_ads_en.htm

    LNS - List NTFS Streams - http://ntsecurity.nu/toolbox/lns/

    SFind - http://www.foundstone.com/resources/proddesc/forensic-toolkit.htm


    StevieO
     
  19. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Yes, in many occasions malware uses today ADS for hiding data. But as such they are as harmless as normal files, that are, by the way, also used by malware. :D

    P.S. Anyone interested in highly sophisticated malware, should read Marco Giuliano's (from Prevx) report on Gromozon.
     
  20. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Just food for thought for the conspiracists present.If this software was going to use ADS for some dark reason then surely the inventful coders would hide the aforementioned streams whilst the software is installed if they existed:p

    So really what folks want to do is uninstall and then check for vacated ADS;)
     
  21. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Folks,

    How do you Uninstall Power Shadow cleanly?

    I read on their website the following instruction.

    So how do remove them cleanly. I mean I want to make sure I remove my version that contains ADS and including the ADS cleanly and then re-install a version without i.e. from Tucows.

    o_O

    p/s: no reply from the PS Support yet since I email them. It's more than 24 hrs now.
     
    Last edited: Mar 14, 2007
  22. EASTER.2010

    EASTER.2010 Guest

    I wouldn't get your hemmoroids in an uproar over it, just select the installer minus the ADS and all is well.

    Theres is nothing, and i repeat, nothing harmful or risky in Power Shadow at all but it can be of concern for some who would rather not take the chance, so go for the program without the ads like i have.

    Power Shadow is a wonderful creation and saves a ton of headaches and aggravations experienced from even the most legit of shadowers like ShadowSurfer to name one i'm happy to have found a replacement for.
     
  23. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    My concern now is that even though no ADS might not be found in the installer or in the program itself, how does powershadow clean out the ADS of programs we install in our computer during a shadowed session? Surely lots of malware testers out there can find out by downloading known ADS hiding malware and then deleting it my rebooting out of powershadow then checking that area for left over ADS. No where do I see the info talking about left over ADS from malware we pickup while surfing that powershadow deletes yet one must assume that it does this. Perhaps I'll send them a message and ask them if it specifically deletes the ADS of malware. That would be the real key to this.
     
  24. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Folks,

    This is an update reply from PS Support which I email 3 days ago.

    They are going to release next version in about 3 months time.:thumb:

    Later on I also asked what sort of improvements they would be incorporating in the next version.

    Can't wait to see what next version is like.

    Cheerio

    Chew

    -----------------------------------------------------------------------------------------------------

    Hi Chew,

    Thanks for your love for our PowerShadow.

    We don't use Alternate Data Streams in PowerShadow.

    We made a very small internal modification and decided to keep the same version number.

    When we repackaged the files, Microsoft OS added a file "Thumbs.db" in the directory.
    Thumbs.db is Microsoft's way of caching thumbnail images of any image or movie file in a folder.
    This file is useless for PowerShadow, but it DOES occupy about 10K space.
    That's why the second installation package from our website is a little bit larger than others.

    Just relax, both installation packages are the same for end users.

    Add our new website ( http://www.powershadowsecurity.com) to your browser bookmark because we will release a new version in about three months.

    --
    Customer Support Dept.
    PowerShadow Security
    Chicago, IL, USA
    http://www.powershadowsecurity.com

    - Virtualization for Integrity -


    ------------------------------------------------------------------------------------------------------
     
Loading...
Thread Status:
Not open for further replies.