NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2003-10

RE: strange windows behaviour.

From: J Mike Rollins (rollinswfu.edu)
Date: Thu Oct 09 2003 - 10:12:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have just tested the ideas expressed here and have to report that
streams can still be a threat.

When I try to make a copy of the dll stored within the stream, the virus
scanning software does find it.

However, when I run the contents of the dll stream by using rundll32 the
program is not caught by the virus scanning software. And the trojan
continues to execute undetected.

So, I believe this to be a serious threat.

On Wed, 8 Oct 2003, Schmehl, Paul L wrote:

> > -----Original Message-----
> > From: J Mike Rollins [mailto:rollinswfu.edu]
> > Sent: Wednesday, October 08, 2003 12:46 PM
> > To: incidentssecurityfocus.com
> > Subject: Re: strange windows behaviour.
> >
> >
> >
> > One trick that hackers are exploiting is to store executable
> > files as NTFS Streams. You should check you registry for
> > programs set to run at startup with the following format
> >
> > rundll32.exe C:\Some\Directory:trojan.dll
> >
> > The : in front of the trojan signifies that the file is
> > really an NTFS Stream. Trojans stored in this format may not
> > be detected by many virus scanners.
>
> There's been a lot of discussion about this amongst av professionals.
> There's really no advantage to scanning streams because they are
> "inert". In order for the trojan to do anything, it has to "come out of
> hiding" as it were, and when it does, av on access scanning will detect
> it **if it's a known trojan**. While it's in the stream it's merely in
> storage, not being used.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins rollinswfu.edu
     Wake Forest University http://www.wfu.edu/~rollins
        Winston-Salem, NC work: (336) 758-1938
======================================================================

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]