NTFS Alternate Data Streams?

Discussion in 'Trojan Defence Suite' started by tragic001, Jul 12, 2003.

Thread Status:
Not open for further replies.
  1. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Morning Wilders, :)

    Since my post of yesterday regarding ugo20.exe and the most satisfactory conclusion. i was advised to install the trial version of TDS. I have updated the radius files and when i ran it yesterday, nothing came up.

    Today, i fired up TDS so i could get to know the program a little better, and on the first initial scan it does on opening, i get two entries as follows: Both appear with a full scan to.

    Alarm: NTFS Alternate Data Stream.
    Name: ADS Hidden stream detected 88 bytes.
    C:\windows\system32\ctfmon.exe

    Can i delete these as two were shown, both the same size. This is from my logfile of TDS

    "11:47:21 [TDS] Good morning Nick.
    11:47:23 [NTFS ADS] Stream found - c:\windows\system32\ctfmon.exe:SummaryInformation
    11:47:23 [NTFS ADS] Stream found - c:\windows\system32\ctfmon.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)"

    Many thanks
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Tragic001,
    welcome!
    googled a bit in the threads overhere about the subject, interesting reads!
    http://www.wilderssecurity.com/showthread.php?t=10877
    http://www.wilderssecurity.com/showthread.php?t=10612;start=msg69027#msg69027
    http://www.wilderssecurity.com/showthread.php?t=7804
    http://www.wilderssecurity.com/showthread.php?t=8416;start=msg54594#msg54594
    http://www.wilderssecurity.com/showthread.php?t=4905;start=msg32298#msg32298

    Alternate Data Streams are really very interesting things. DCS has a page that describes them here:
    http://www.diamondcs.com.au/streams/streams.htm
    If you didn't yet, you might like to get the free Autostartviewer too, to control all that's starting, very nice tool!
    http://www.diamondcs.com.au/downloads/asviewer.zip

    Generally spoken recommandations to ignore files below size 90 or 256 or 512 bytes, so that seems to depend.

    From other postings here:
    "Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.
    Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. "

    http://www.wilderssecurity.com/showthread.php?t=11193;start=msg72914#msg72914
    (Pieter's answer #60)
    http://www.wilderssecurity.com/showthread.php?t=10301;start=msg70343#msg70343
    (Illukka's answer #40)

    If somebody can drop by in the meantime, please don't hesitate to post!
     
  3. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Thanks Jooske,

    I did manage to find the file from Diamondcs about these streams and from the links you have provided, i have set my stream detection to 90 and checked the non executable box.

    I think ctfmon.exe is something to do with Office XP, which i have.

    Many thanks.. :)
     
  4. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Hmmm,

    having set the stream size to minimum 90 and checked the non-executable box, on re-running TDS, those same two files appear o_O They are marked as 88bytes in size.

    I await your advice....thanks :)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    My edit and your answer crossed :)
    Indeed, it has to do with the input in Office, so no worries.

    Are you comfortable with TDS configuration and using it?
     
  6. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Thanks Jooske, thats has reassured me :). Actually i find TDS not too difficult to set up. There are some things that i have no clue about but i have configured the scan options, updated the radius files etc and starting to really like the program. I may just purchase it at the end of the trial.

    If i have any questions, be sure i know where to come. Again many thanks :)
     
Thread Status:
Not open for further replies.