Pls help me understanding ADS

Ok, here is the scenario.

I scanned my C partition with ADS spy. No ADS found. I run a malware and then scanned again with ADS spy. It finds two ADS,s

C:\ .....Temp: ypdwbti.dll
C:\Windows|system32: ypdwbti.dll

The dll in Temp directory is visible even by windows explorer but no such dll is visible in system32 folder, even by any rootkit scanner( gmer, icesword, blacklite, RKU etc).

Can some one explain to me these things?

Thanks

 

http://www.wikistc.org/wiki/Alternate_data_streams

 

Hmmm... thanks. I can find a lot of stuff on net but mostly it,s over my head. I just wanted some practical help/ explanation in the scenario above.

Thanks

 

Possibly your confusion is caused from misunderstanding tool configuration/data returned.....with that the file visible in your temp folder is not of DLL extension so is not ADS reported by ADS spy

How did you use IceSword/Gmer to check for ADS....in both cases niether tool will show them using basic file search.

IRC Gmer you need to check box for scanning ADS and IceSword you need to Use right click on file explorer option and enumerate ADS option.

HTH

 

Hi fcukdat, thanks. It,s very helpful. I was really expecting some answer from u.

One Q- in this case dll hidden by ADS atttached to system32 folder is infact part of system32 folder( inside system32 folder) or it,s infact part of Windows directory?

Thanks

 

It is attached to the directory and not inside of system32 folder.

HTH and hope ya enjoy the samples

 

Experiment sometimes if you can with adding an executable ADS, in my case i attached one to Calc and made up a couple of scripts, vbs & bat to generate the executable and it does activate right on cue. Helps to familiarize yourself on how they work when you create one yourself, ADSpy is pretty good at finding them and so is IceSword as already mentioned.

Not sure what can be done exactly except monitoring maybe the command console and/or system apps for this sort of steathy hiding and executing with HIPS, but i like to integrate a WATCH in EQS for creating any ADS, and i think it entirely possible although not tested it yet.

This Windows System is chalked full of little tricks.

EASTER

 

Hi, thanks a lot. Great!!! as it was exactly what I wanted and even much more.

 

CFP and TF already do it.

https://www.wilderssecurity.com/showthread.php?t=215424