|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: strange windows behaviour.
From: Pepijn Vissers (vissers
fox-it.com)
Date: Thu Oct 09 2003 - 08:57:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
//One trick that hackers are exploiting is to store executable
//files as NTFS Streams. You should check you registry for
//programs set to run at startup with the following format
// rundll32.exe C:\Some\Directory:trojan.dll
//NTFS Streams cannot be listed by the dir command. What you
//can do to verify the existence of one of the Streams is to do
//
// notepad.exe C:\Some\Directory:trojan.dll
//
//If you see content, then the stream is really there.
Very true. There is a tool that will help you, called LADS (List
Alternate Data Streams), which is a modified 'dir'. Get it at
http://www.heysoft.de/nt/ep-lads.htm.
Best regards,
Pepijn Vissers
--
P. Vissers
Fox-IT Forensic IT Experts B.V.
www.fox-it.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]