Re: Alternate Data Streams

From: Daniel L. Belton (abuse_at_spam.gov)
Date: 11/19/03

• Next message: Daniel L. Belton: "Re: Alternate Data Streams"
• Previous message: Kasandra: "Administrator lockout"
• In reply to: Sarge: "Re: Alternate Data Streams"
• Next in thread: Sarge: "Re: Alternate Data Streams"
• Reply: Sarge: "Re: Alternate Data Streams"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 19 Nov 2003 15:03:33 GMT

Sarge wrote:

> "Daniel L. Belton" <abuse@spam.gov> wrote in
> news:vrBub.30842$oC5.17359@clmboh1-nws5.columbus.rr.com:
>
>
>>I have been hit with a trojan dropper that is using the ADS in my
>>\Windows\System32 folder to hide from scanners
>
>
> Out of curiosity, how do you know it's a trojan dropper if it's hiding
> from scanners? And I'm even more curious to know how it was delivered to
> your machine. As far as scanners go, Kaspersky Anti-Virus
> (http://www.kaspersky.com/) will detect malware in alternate data
> streams.
>

Know of any Windows apps that put an ADS in your Windows\System32 folder
with .exe filenames?

>
>
>
>>I have no use for ADS anyway, so I want to disable them from being
>>used at all. Is there any way to do this without going back to using
>>FAT32 instead of NTFS?
>
>
> Not that I know of. Other freeware tools you can use in addition to
> Streams are Crucial ADS (http://www.crucialsecurity.com/downloads.html)
> and LADS (http://www.heysoft.de/Frames/f_sw_la_en.htm).

I have those two, and they are good at finding and displaying the ADS...
  Just not good at removing them. I want a way to disable it since it's
not needed and leaves a big security hole open.

---

• Next message: Daniel L. Belton: "Re: Alternate Data Streams"
• Previous message: Kasandra: "Administrator lockout"
• In reply to: Sarge: "Re: Alternate Data Streams"
• Next in thread: Sarge: "Re: Alternate Data Streams"
• Reply: Sarge: "Re: Alternate Data Streams"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: hacktool.rootkit ... ADS have several consequences that attract malware interest: ... - non-native OSs hosting formal scanners may miss ADS ... In the NTFS file system, ... non-NTFS file system is anyone's guess. ... (microsoft.public.security.virus) Re: ADS 5i Controller ... Do you guys know of any ADS dedicated newsgroups/forums? ... > 1) Created a new folder with my sysprep folder that gets copied to ... > 2) I downloaded the appropriate support pack from HP ... > time deploying an image to multiple devices myself. ... (microsoft.public.windows.server.setup) Re: Debian creates duplicate image files with strange extensions! ... with NTFS called ADS. ... contents of an NTFS folder. ... ADS files take up no space on an NTFS file system. ... (Debian-User) Re: Alternate Data Streams ... >>Know of any Windows apps that put an ADS in your Windows\System32 ... >>folder with .exe filenames? ... > The easiest way I've found to delete ADS is with the shell extensions ... (microsoft.public.windowsxp.security_admin) Re: Alternate Data Streams ... > folder with .exe filenames? ... >> Streams are Crucial ADS ... There's one that'll add a "Streams" property sheet from where you can ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)