OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows file problem
From: Brian Battle (brianCONFLUENCE.COM)
Date: Tue Oct 10 2000 - 17:05:23 CDT

Microsoft has an old MSJ article on streams at:
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/1198/ntfs/ntfs.htm

Also has other little known NTFS features such as reparse points, encrypted
streams, and hard links.

-----Original Message-----
From: Paul Taylor [mailto:ptaylorMARTNET.COM]
Sent: Monday, October 09, 2000 8:55 PM
To: VULN-DEVSECURITYFOCUS.COM
Subject: Re: Windows file problem

From http://patriot.net/~carvdawg/ads.html:

Finding alternate data streams
Corporate information security policies should require that administrators
perform regularly scheduled scans, particularly of key systems, to verify
compliance with configuration
standards. These scans should include a tool or process for detecting
alternate data streams. Two tools available for detecting alternate data
streams are:

       Streams.exe, written by Mark Russinovich and available from
http://www.sysinternals.com/misc.htm#Streams

       "LADS", written by Frank Heyne and available from
http://www.heysoft.de/index.htm

These tools use the BackupRead() and BackupSeek() API calls to locate
alternate data streams.

Paul Taylor
QVC, Inc., Data Security
(610) 701-8761

On Mon, 9 Oct 2000, Flaherty, Jack wrote:

> Yep. This has been a potential security risk for quite some time now
because
> these extra file streams can be dropped anywhere (possibly behind
important
> DLLs, etc.) They're perfect places to hide rootkits, stolen nuclear hard
> drive images, etc.
>
> Uhhh...Some white-hat group released a program to find file streams and
> delete them if necessary. I thought it was the L0pht, but I can't seem to
> remember now and I sure can't find it on their site. URL someone?
>
> amp
>