Will TDS show the "Aflooder" stream..

Discussion in 'Trojan Defence Suite' started by spy1, Sep 1, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Because it is a stream, TDS will detect an EXE in a stream - this is untested but I dont see how it could hide from the stream detection in TDS :)

    I have a copy of what seems to be this and will be adding detection shortly, it seems to be from adware or spyware ? I dont have much information on it however it does open a connection to an irc server and will be relevant for detection.

    I dont think the parent file is legitimate from what I've read though ;) system32.exe is not a MS file and is a common filename used by trojans to LOOK real.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, you'll be adding detection for it and that's good.

    However, I'm kind of wondering if anything in TDS's "NTFS detection" will block the infection in and of itself.

    IOW,

    ( a ) Is stream detection real-time when Exec Protection is installed?

    Or

    ( b ) Does TDS just detect streams when you run a scan?

    If stream detection isn't real-time when Exec Protection is installed - shouldn't it be made to be, given the characteristics of this new malware?

    And, if you make stream detection real-time, couldn't it be made to block execution of any stream containing an exe until after it throws up a warning?

    We're probably going to be seeing more of these kinds of attacks (involving streams) - and judging by this one, they're all going to be a major PITA to remove after being infected.

    Can TDS get it to the point where we don't have to worry about stream infection before it happens? Pete
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    In case anyone is wondering what this is all about, here is some more reading: http://www.spywareinfoforum.com/forums/index.php?act=ST&f=11&t=10456

    Regards,

    Pieter
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Exec Protection doesn't detect streams as streams, it just detects/stops code to be executed, the source is not important.

    All scanning modules just detect what needs to be detected.

    Dolf
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi guys,

    Being a TDS3 user myself and having an XP-Home (NTFS) pc....this thread has caught my attention since it is discussing the "NTFS Alternate Data Stream detection", which i am still trying to fully grasp and understand. Also, this AFlooder thing....new malware...and how this new malware will be detected, has me concerned a bit. i would really like to know how the detection of this happens.

    Gavin, you said such detection has not been tested yet. (Hoping i have not misunderstood you)..but is there any possibility it can be tested and explained to us? (screenshots are always appreciated by us users still learning about these things) ;)

    Dollefie, hi'ya :) Where you said:
    i may be wrong, but i would think it would be, would it not? i sure would want to know what and where the source of something detected as malware was hiding, and remove/delete it if possible.

    Thank you for your comments...they help me and others greatly! :)

    snap
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Exec Prot just blocks code from executing: streams, executables, dll's, scripts, whatever, when it has detected it as malware. It is then up to you to scan and remove that code from your system. Look at Wayne's answer on the same question here:
    http://diamondcs.com.au/forum/showthread.php?s=&threadid=1729
    (if you have signed up for the TDS private forum)
    Dolf
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The answer to every question you've ever had about NTFS Alternate Data Streams - http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
    Perhaps the most comprehensive page on the subject anywhere on the Internet. If there are any questions it doesn't answer, please email me your question(s) at wayne@diamondcs.com.au


    *repaired URL tags*
     
Thread Status:
Not open for further replies.