lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon Jun 5 13:36:40 2006 From: exceed at email.si (/dev/null) Subject: Multiple Vendor NTFS Data Stream Malware Stealth Technique This is a well known issue. Anyway, I did a quick test. I used "famous" ncx99.exe. Here are the results: http://www2.shrani.si/files/pic1616545.jpg http://www2.shrani.si/files/pic2616546.jpg Then I did another test using KAV5 Personal Pro edition. When scanned ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway, it is detected when ADS is executed like this: c:\>start c:\ads.txt:ncx99.exe I suppose other AV will detect malicious ADS at execution time. Or am I wrong? Here's another interesting fact: if KAV5 option "Real-time file protection" is disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up any warning. The port (in this case TCP/99) will be wide open and there will be no entries in exceptions list. Didn't tried with other firewalls. I don't think this could be classified as security breach per se, but just as interesting fact. Maybe someone can test other AVs/Firewalls and post results. -exceed ____________________ http://www.email.si/
Powered by blists - more mailing lists