[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique
- From: Andreas Marx <gega-it@xxxxxx>
- Date: Mon, 05 Jun 2006 22:47:04 +0200
Hi,
besides the fact that it is always a good idea to notify vendors which might be
affected *in advance* before releasing information like this, it's indeed
nothing new.
You can find a more comprehensive review of AV products here:
<http://www.heise.de/security/artikel/52139/2>
This list should be updated anytime soon, to cover more products and also newer
versions of these products.
ADS can be a problem, due to this:
<http://www.heise.de/security/artikel/52139/0>
In short, you can hide an application in an ADS using this command:
"type secret_tool.exe > c:\boot.ini:foo.exe"
You can still execute it using the following syntax:
"start c:\boot.ini:foo.exe"
While some AV products might not be able to find this file during an on-demand
virus scan, most will alert the user as soon as someone tries to start the
file. It looks like that such hidden files can only be started when they are in
the Windows PE EXE file format. I was not able to start VBS script files or the
"Eicar test file" this way.
This means, you might have hidden a working virus, but after your conversion,
it was no longer working. When you copy & paste Loveletter.A (a VBS file) in a
Word DOC file, do you think AV products should still flag this DOC file, even
if it's no longer working (as it cannot be executed in such a format)...?
cheers,
Andreas Marx
CEO, AV-Test GmbH
http://www.av-test.org
______________________________________________________________________
XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!
Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130