OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows file problem
From: Paul Taylor (ptaylorMARTNET.COM)
Date: Mon Oct 09 2000 - 19:54:47 CDT

From http://patriot.net/~carvdawg/ads.html:

Finding alternate data streams
Corporate information security policies should require that administrators
perform regularly scheduled scans, particularly of key systems, to verify
compliance with configuration
standards. These scans should include a tool or process for detecting
alternate data streams. Two tools available for detecting alternate data
streams are:

       Streams.exe, written by Mark Russinovich and available from
http://www.sysinternals.com/misc.htm#Streams

       "LADS", written by Frank Heyne and available from
http://www.heysoft.de/index.htm

These tools use the BackupRead() and BackupSeek() API calls to locate
alternate data streams.

Paul Taylor
QVC, Inc., Data Security
(610) 701-8761

On Mon, 9 Oct 2000, Flaherty, Jack wrote:

> Yep. This has been a potential security risk for quite some time now because
> these extra file streams can be dropped anywhere (possibly behind important
> DLLs, etc.) They're perfect places to hide rootkits, stolen nuclear hard
> drive images, etc.
>
> Uhhh...Some white-hat group released a program to find file streams and
> delete them if necessary. I thought it was the L0pht, but I can't seem to
> remember now and I sure can't find it on their site. URL someone?
>
> amp
>