Re: Alternate Data Streams

From: Daniel L. Belton (abuse_at_spam.gov)
Date: 11/20/03 

Date: Thu, 20 Nov 2003 07:49:23 GMT

Sarge wrote:
> "Daniel L. Belton" <abuse@spam.gov> wrote in
> news:9DLub.30859$oC5.733@clmboh1-nws5.columbus.rr.com:
>
>
>>Know of any Windows apps that put an ADS in your Windows\System32
>>folder with .exe filenames?
>
>
> Can't say that I do. You might want to ask over at alt.comp.virus and/or
> alt.comp.anti-virus, there are some pretty knowledgeable folks posting
> in those groups. You mentioned that you're running Kaspersky resident.
> Didn't that catch the trojan as it was being written to disk?
>
>
Nope... It didn't catch it, however about a week later one of their
updates had it in there.

>
>
>>>Not that I know of. Other freeware tools you can use in addition to
>>>Streams are Crucial ADS
>>>(http://www.crucialsecurity.com/downloads.html) and LADS
>>>(http://www.heysoft.de/Frames/f_sw_la_en.htm).
>>
>>I have those two, and they are good at finding and displaying the
>>ADS... Just not good at removing them. I want a way to disable it since
>>it's not needed and leaves a big security hole open.
>
>
> The easiest way I've found to delete ADS is with the shell extensions
> available at:
>
> http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip
>
> There's one that'll add a "Streams" property *** from where you can
> extract or delete an ADS, and another that'll add a "Streams Size"
> column to Windows Explorer. Read the white paper first:
>
> http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf
>
>
Thanks! I haven't seen those yet. I'll go give them a look and see
what it looks like