[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Multiple Vendor NTFS Data Stream Malware Stealth Technique

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Multiple Vendor NTFS Data Stream Malware Stealth Technique
From: "/dev/null" <exceed@xxxxxxxx>
Date: Mon, 05 Jun 2006 14:35:58 +0200

This is a well known issue. Anyway, I did a quick test. I used "famous" 
ncx99.exe. Here are the results:

http://www2.shrani.si/files/pic1616545.jpg
http://www2.shrani.si/files/pic2616546.jpg

Then I did another test using KAV5 Personal Pro edition. When scanned 
ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway, 
it is detected when ADS is executed like this: 

c:\>start c:\ads.txt:ncx99.exe

I suppose other AV will detect malicious ADS at execution time. Or am I wrong?

Here's another interesting fact: if KAV5 option "Real-time file protection" is 
disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up 
any warning. The port (in this case TCP/99) will be wide open and there will 
be no entries in exceptions list. Didn't tried with other firewalls.

I don't think this could be classified as security breach per se, but just as 
interesting fact.

Maybe someone can test other AVs/Firewalls and post results.


-exceed

____________________
http://www.email.si/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Packet alteration et modification
Next by Date: Re: [Full-disclosure] Tool Release - Tor Blocker
Previous by thread: Re: [Full-disclosure] Packet alteration et modification
Next by thread: [Full-disclosure] Personal Information Disclosure/Account Hijacking Vulerability in mafia online games
Index(es):
- Date
- Thread