| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Aug 2009 17:37:41 +0000 From: Paul Schmehl <pauls@...allas.edu> To: full-disclosure@...ts.grok.org.uk Subject: Re: NTFS Alternate Data Stream --On Friday, August 21, 2009 07:30:37 -0500 Leandro Malaquias <lm.net.security@...il.com> wrote: > > http://www.thinkdigit.com/General/Hidden-Threat-NTFS-Alternate-Data-Streams-A > DS_3328.html > Whoever wrote this specializes in hyperbole. ADS is not hidden. It's completely accessible. For example, you can view the ADS in Word documents within Word. ADS is where some file metadata is stored. Yes, it's not viewable in Windows Explorer, but if you want more transparency with ADS, you can add ADS to the Properties tabs of the file system and view ADS for every file in the GUI by using StrmExt.dll. http://msdn.microsoft.com/en-us/library/ms810604.aspx Furthermore, executable content in an ADS cannot be run in some mysterious hidden fashion. It is called just like any other executable and runs in memory just like any other executable. Sure, you can "hide" stuff there, but it's not hidden when it's running. Finally, all reputable a/v companies already scan ADS for malicious code. -- Paul Schmehl (pauls@...allas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists