[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060605123628.641F28B9F6@www1.email.si>
Date: Mon Jun 5 13:36:40 2006
From: exceed at email.si (/dev/null)
Subject: Multiple Vendor NTFS Data Stream Malware
Stealth Technique
This is a well known issue. Anyway, I did a quick test. I used "famous"
ncx99.exe. Here are the results:
http://www2.shrani.si/files/pic1616545.jpg
http://www2.shrani.si/files/pic2616546.jpg
Then I did another test using KAV5 Personal Pro edition. When scanned
ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway,
it is detected when ADS is executed like this:
c:\>start c:\ads.txt:ncx99.exe
I suppose other AV will detect malicious ADS at execution time. Or am I wrong?
Here's another interesting fact: if KAV5 option "Real-time file protection" is
disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up
any warning. The port (in this case TCP/99) will be wide open and there will
be no entries in exceptions list. Didn't tried with other firewalls.
I don't think this could be classified as security breach per se, but just as
interesting fact.
Maybe someone can test other AVs/Firewalls and post results.
-exceed
____________________
http://www.email.si/
Powered by blists - more mailing lists