Will using FAT32 make rookits harder to hide?

Discussion in 'other security issues & news' started by lu_chin, Feb 13, 2007.

Thread Status:
Not open for further replies.
  1. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    It seems many recent rootkits can hide themselves in the alternate data stream on NTFS volumes. Other than the 4 GB file size limit, for most home users using FAT32 seems a convenient (and safer) choice than using NTFS, in terms of leaving one less (and common) place for rootkits to hide themselves. Just a thought from a novice like me.
     
  2. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    I have a "friend" with a laptop with no fw and no av. He downloads lot's of porn and visits on a regular basis such websites. He's dumb too, so he's the kinda guy to get in trouble really easily.

    I used the obvious scanners to c what's up. To my suprisement he was not infected. He usin fat as well.o_O
     
  3. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    My idea is simple. By using FAT32, I can boot up from a Win 9x/ME/2000 CD and run any one file management utility program (which can be downloaded from many shareware sites) to save a listing of directories and files on the FAT32 partition. Then I will boot up XP in normal mode, run the same utility program and save another directory/file listing. Finally I diff the two listings to look for hidden files.
     
  4. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    I use FAT32 and still get infected... But haven't really gotten a rootkit... Maybe its because trojans are popular on sites now a days...
     
  5. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    Using ADS is just one way that rootkits can hide themselves. Most will use other techniques, so switching to a FAT32 file system will only confer a minimal improvement and still leave you wide open to many other forms of attack.

    In my opinion, NTFS is so much more reliable, resilient and efficient than FAT32 that anyone who still uses FAT32 is really doing themselves no favours at all.
     
  6. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I was not saying not to use other security programs when using FAT32. I think using FAT32 make it harder for rookits to stay undetected. There is one less place (ADS) to hide and there are many old and new file/disk tools that can show directories/files on a FAT32 partition after booting even from a floppy disk. I am not sure if NTFS is really more reliable and resilient and efficient than FAT32. I had been running FAT32 on my C drive without any loss in speed or data integrity. Besides, I had not read about any hidden rookit that worked on FAT32 yet. It might be the fact that NTFS was the default format and the malware writers just targeted the bigger crowd.

     
  7. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    It is more simple to hide rootkit on NTFS, but it is also very easy to do on FAT32. So my answer on topic title question - no.
     
Loading...
Thread Status:
Not open for further replies.