[Full-disclosure] Multiple Vendor NTFS Data Stream Malware Stealth Technique
/dev/null
exceed at email.si
Mon Jun 5 13:35:58 BST 2006
This is a well known issue. Anyway, I did a quick test. I used "famous"
ncx99.exe. Here are the results:
http://www2.shrani.si/files/pic1616545.jpg
http://www2.shrani.si/files/pic2616546.jpg
Then I did another test using KAV5 Personal Pro edition. When scanned
ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway,
it is detected when ADS is executed like this:
c:\>start c:\ads.txt:ncx99.exe
I suppose other AV will detect malicious ADS at execution time. Or am I wrong?
Here's another interesting fact: if KAV5 option "Real-time file protection" is
disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up
any warning. The port (in this case TCP/99) will be wide open and there will
be no entries in exceptions list. Didn't tried with other firewalls.
I don't think this could be classified as security breach per se, but just as
interesting fact.
Maybe someone can test other AVs/Firewalls and post results.
-exceed
____________________
http://www.email.si/
Full-Disclosure is hosted and sponsored by Secunia.