From: J Mike Rollins (rollinswfu.edu)
Date: Thu Oct 09 2003 - 11:58:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We are in the process of sending information to the vendor.

In summary:

will be caught: rundll32 c:\directory\trojan.dll,params
will not be caught: rundll32 c:\directory:trojan.dll,params

On Thu, 9 Oct 2003, Schmehl, Paul L wrote:

> > -----Original Message-----
> > From: J Mike Rollins [mailto:rollinswfu.edu]
> > Sent: Thursday, October 09, 2003 10:13 AM
> > To: Schmehl, Paul L
> > Cc: incidentssecurityfocus.com
> > Subject: RE: strange windows behaviour.
> >
> > I have just tested the ideas expressed here and have to
> > report that streams can still be a threat.
> >
> > When I try to make a copy of the dll stored within the
> > stream, the virus scanning software does find it.
> >
> > However, when I run the contents of the dll stream by using
> > rundll32 the program is not caught by the virus scanning
> > software. And the trojan continues to execute undetected.
> >
> > So, I believe this to be a serious threat.
>
> Have you sent the results of your testing to your AV vendor? It could
> easily be a problem with your AV rather than a problem with the general
> principle of on access scanning being able to catch the trojan.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins rollinswfu.edu
     Wake Forest University http://www.wfu.edu/~rollins
        Winston-Salem, NC work: (336) 758-1938
======================================================================

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]