lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0606061626560.23779-100000@linuxbox.org>
Date: Tue, 6 Jun 2006 16:28:26 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: Andreas Marx <gega-it@....de>
Cc: bugtraq@...urityfocus.com, Joxean Koret <joxeankoret@...oo.es>
Subject: Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique


On Mon, 5 Jun 2006, Andreas Marx wrote:
> Hi,
> 
> besides the fact that it is always a good idea to notify vendors which might be affected *in advance* before releasing information like this, it's indeed nothing new.

More than that, somebody releases an advisory about it once every two
years or so.

I can't argue that it works, but just googling for "NTFS Stream
virus" would do wonders for people who look at this issue.

	Gadi.

> 
> You can find a more comprehensive review of AV products here:
> <http://www.heise.de/security/artikel/52139/2>
> 
> This list should be updated anytime soon, to cover more products and also newer versions of these products.
> 
> ADS can be a problem, due to this:
> <http://www.heise.de/security/artikel/52139/0>
> 
> In short, you can hide an application in an ADS using this command:
> "type secret_tool.exe > c:\boot.ini:foo.exe"
> 
> You can still execute it using the following syntax:
> "start c:\boot.ini:foo.exe"
> 
> While some AV products might not be able to find this file during an on-demand virus scan, most will alert the user as soon as someone tries to start the file. It looks like that such hidden files can only be started when they are in the Windows PE EXE file format. I was not able to start VBS script files or the "Eicar test file" this way.
> 
> This means, you might have hidden a working virus, but after your conversion, it was no longer working. When you copy & paste Loveletter.A (a VBS file) in a Word DOC file, do you think AV products should still flag this DOC file, even if it's no longer working (as it cannot be executed in such a format)...?
> 
> cheers,
> Andreas Marx
> 
> CEO, AV-Test GmbH
> http://www.av-test.org
> 
> ______________________________________________________________________
> XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!		
> Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ