[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] NTFS Alternate Data Stream
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] NTFS Alternate Data Stream
- From: Paul Schmehl <pauls@xxxxxxxxxxxx>
- Date: Fri, 21 Aug 2009 17:37:41 +0000
--On Friday, August 21, 2009 07:30:37 -0500 Leandro Malaquias
<lm.net.security@xxxxxxxxx> wrote:
>
> http://www.thinkdigit.com/General/Hidden-Threat-NTFS-Alternate-Data-Streams-A
> DS_3328.html
>
Whoever wrote this specializes in hyperbole. ADS is not hidden. It's
completely accessible. For example, you can view the ADS in Word documents
within Word. ADS is where some file metadata is stored. Yes, it's not
viewable in Windows Explorer, but if you want more transparency with ADS, you
can add ADS to the Properties tabs of the file system and view ADS for every
file in the GUI by using StrmExt.dll.
http://msdn.microsoft.com/en-us/library/ms810604.aspx
Furthermore, executable content in an ADS cannot be run in some mysterious
hidden fashion. It is called just like any other executable and runs in memory
just like any other executable. Sure, you can "hide" stuff there, but it's not
hidden when it's running.
Finally, all reputable a/v companies already scan ADS for malicious code.
--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/