|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: strange windows behaviour.
From: Schmehl, Paul L (pauls
utdallas.edu)
Date: Wed Oct 08 2003 - 15:44:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> -----Original Message-----
> From: J Mike Rollins [mailto:rollinswfu.edu]
> Sent: Wednesday, October 08, 2003 12:46 PM
> To: incidentssecurityfocus.com
> Subject: Re: strange windows behaviour.
>
>
>
> One trick that hackers are exploiting is to store executable
> files as NTFS Streams. You should check you registry for
> programs set to run at startup with the following format
>
> rundll32.exe C:\Some\Directory:trojan.dll
>
> The : in front of the trojan signifies that the file is
> really an NTFS Stream. Trojans stored in this format may not
> be detected by many virus scanners.
There's been a lot of discussion about this amongst av professionals.
There's really no advantage to scanning streams because they are
"inert". In order for the trojan to do anything, it has to "come out of
hiding" as it were, and when it does, av on access scanning will detect
it **if it's a known trojan**. While it's in the stream it's merely in
storage, not being used.
Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]