Pls help me understanding ADS

Discussion in 'other anti-malware software' started by aigle, Jul 19, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, here is the scenario.

    I scanned my C partition with ADS spy. No ADS found. I run a malware and then scanned again with ADS spy. It finds two ADS,s

    C:\ .....Temp: ypdwbti.dll
    C:\Windows|system32: ypdwbti.dll

    The dll in Temp directory is visible even by windows explorer but no such dll is visible in system32 folder, even by any rootkit scanner( gmer, icesword, blacklite, RKU etc).

    Can some one explain to me these things?

    Thanks

    07-19_0020.jpg 07-19_0021.jpg
    07-19_0022.jpg
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... thanks. I can find a lot of stuff on net but mostly it,s over my head. I just wanted some practical help/ explanation in the scenario above.

    Thanks
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Possibly your confusion is caused from misunderstanding tool configuration/data returned.....with that the file visible in your temp folder is not of DLL extension so is not ADS reported by ADS spy;)

    How did you use IceSword/Gmer to check for ADS....in both cases niether tool will show them using basic file search.

    IRC Gmer you need to check box for scanning ADS and IceSword you need to Use right click on file explorer option and enumerate ADS option.

    HTH:)
     
    Last edited: Jul 19, 2008
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi fcukdat, thanks. It,s very helpful. I was really expecting some answer from u. :thumb:

    One Q- in this case dll hidden by ADS atttached to system32 folder is infact part of system32 folder( inside system32 folder) or it,s infact part of Windows directory?

    Thanks
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    It is attached to the directory and not inside of system32 folder.

    HTH and hope ya enjoy the samples:D
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Experiment sometimes if you can with adding an executable ADS, in my case i attached one to Calc and made up a couple of scripts, vbs & bat to generate the executable and it does activate right on cue. Helps to familiarize yourself on how they work when you create one yourself, ADSpy is pretty good at finding them and so is IceSword as already mentioned.

    Not sure what can be done exactly except monitoring maybe the command console and/or system apps for this sort of steathy hiding and executing with HIPS, but i like to integrate a WATCH in EQS for creating any ADS, and i think it entirely possible although not tested it yet.

    This Windows System is chalked full of little tricks.

    EASTER
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, thanks a lot. Great!!! :thumb: as it was exactly what I wanted and even much more. :p
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CFP and TF already do it.

    https://www.wilderssecurity.com/showthread.php?t=215424

    :thumb: :thumb:
     
Loading...
Thread Status:
Not open for further replies.