RE: strange windows behaviour.

From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 10/08/03

  • Next message: Damian Gerow: "Spamming, 'hidden' mail server" 
    Date: Wed, 8 Oct 2003 15:44:22 -0500
To: "J Mike Rollins" <rollins@wfu.edu>, <incidents@securityfocus.com>

    > -----Original Message-----
    > From: J Mike Rollins [mailto:rollins@wfu.edu]
    > Sent: Wednesday, October 08, 2003 12:46 PM
    > To: incidents@securityfocus.com
    > Subject: Re: strange windows behaviour.
    >
    >
    >
    > One trick that hackers are exploiting is to store executable
    > files as NTFS Streams. You should check you registry for
    > programs set to run at startup with the following format
    >
    > rundll32.exe C:\Some\Directory:trojan.dll
    >
    > The : in front of the trojan signifies that the file is
    > really an NTFS Stream. Trojans stored in this format may not
    > be detected by many virus scanners.

    There's been a lot of discussion about this amongst av professionals.
    There's really no advantage to scanning streams because they are
    "inert". In order for the trojan to do anything, it has to "come out of
    hiding" as it were, and when it does, av on access scanning will detect
    it **if it's a known trojan**. While it's in the stream it's merely in
    storage, not being used.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Damian Gerow: "Spamming, 'hidden' mail server"