NTFS : Alternative Data Streams

Discussion in 'other security issues & news' started by Vikorr, May 28, 2005.

Thread Status:
Not open for further replies.
  1. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Last edited: May 28, 2005
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Like rootkits which go back to UNIX days, ADS has been around awhile, and the concept is being put to good use in raising the fear factor amongst those concerned about security.

    KAV put the technique to use in a recent version and has raised the level of dialogue almost to the shouting level. A post in the DSL forum touched on this:

    http://www.dslreports.com/forum/remark,10819194?hilite=ads

    And the whole concept of ADS as a threat was argued back and forth in this thread, begining with May 21 posts, p. 3:

    http://www.dslreports.com/forum/remark,13436505

    Over in the TDS forum here, there is a thread:

    https://www.wilderssecurity.com/showthread.php?t=32861

    Like so many ideas being discussed today, including buffer overflow, one has to consider what the probability is that something could be a danger to the home user. I say home user, because some are starting to question what a home user really has to be concerned about. Kareldjag makes this point in the buffer overflow thread in this forum (post #48 )

    ----------------------------------------
    Is a specific buffer overflow protection really necessary for a home user on a Windows system?

    I don't think that's it's really necessary.

    From a statistical point of view, home users are more concerned by virus, trojans (CWS) and pricipally spywares (hijackers) than by B.O attacks.
    -----------------------------------------

    So, while it's interesting to read articles such as this one, users should keep things in perspective and realize that without a technical background, one might not really be able to understand/evaluate everything that's being presented. In the KAV thread above, one user bemoaned, "i just barely understand this topic,..."

    regards,

    -rich
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    heh, of course such things need to be kept in perspective. I personally found it interesting, because my AT, TrojanHunter checks the streams, and I had always wondered what they were.

    I also agree with your view on buffer overflows...that it probably isn't worth buying more security apps to protect specifically against them (even if they could comprehensively, which it seems they can't)... but it never hurts learning about them, and checking to see if there are ways to prevent them :)

    Thanks for all the extra links too
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    How do you use this info on streams that your programs are checking?

    -rich
     
  5. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Every once in a while, out of curiosity, I'll have Ad-Aware do an ADS scan on my full drive. So far, consistently "no new items".

    If I take a look at the log for such a scan, then oddly enough (or maybe not so oddly, to someone more knowledgeable) the vast majority of things it turns up but doesn't feel are worth flagging are MID's in my collection.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    A couple of weeks ago, KAV real-time (not on-demand) detected malware in some ADS (one by one) on my friends machine. I was able to scan and clear easily because there were only a handful of ADS on the machine to look at and make a determination. Had there been tens of thousands, (e.g. the KAV 5.0 scenario with iStreams), the problem would have been much more difficult. However, this begs the question of whether those ADS malware would have ever gotten on the machine if KAV was running instead of Norton. ;). Anyway, he is now running KAV sans ADS.

    Rich
     
  7. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Rmus, I don't 'use the info' that my programs are checking, they check for trojans in ADS, and remove them. I don't need to know about ADS except that I was curious about what it was.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks - I wasn't sure what you meant and just was curious...

    -rich
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    When I first trialed KAV I discovered it broke First Defense. Cause was the ADS from KAV. It "only" created 32000 of them. Fortunately Kaspersky does have a removal tool, that gets rid of them all in one swipe. I reinstalled KAV turning off the Istreams and all is well. I am likeing KAV 5.0

    Pete
     
  10. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I use Kav 5.0.325 and I have always used Kavs ADS. It doesn't affect my computers operation, it speeds up my on demand scans and if another malware tries to use the ADS Kav will detect it immediatly with the next on demand scan. Who knows if it would be detected without The ADS streams in use by Kav. Besides Kav didn't invent ADS, microsoft puts them in windows Kav just uses them.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Bigc

    My problem was that KAV scans ADS, but that it creates them. That in and of itself isn't a problem, but if you go to the Raxco site, it state that First Defense and KAV aren't compatible, and with a default setup on KAV they are right. But if you turn off the Istreams technology on install so KAV doesn't use ADS(as opposed to scan) then KAV and First Defense play very well together. This was a good compromise for me as I wanted to use KAV, but won't give up First Defense. Only penalty, might be slightly longer on demand scan time with KAV. I can live with that.

    Pete
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Peter and bigc,

    There are many security vulnerabilities introduced by ADS, which have been discussed on other thread, that appear to be hardly offset by any performance improvements (especially if the default quarantine period of one year is accepted). Suffice to say, that Kaspersky' engineers have apparently reviewed the pros and cons of using ADS in their product and have ADS from version 6.

    Rich
     
Loading...
Thread Status:
Not open for further replies.