lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060605123628.641F28B9F6@www1.email.si>
Date: Mon Jun  5 13:36:40 2006
From: exceed at email.si (/dev/null)
Subject: Multiple Vendor NTFS Data Stream Malware
	Stealth Technique

This is a well known issue. Anyway, I did a quick test. I used "famous" 
ncx99.exe. Here are the results:

http://www2.shrani.si/files/pic1616545.jpg
http://www2.shrani.si/files/pic2616546.jpg

Then I did another test using KAV5 Personal Pro edition. When scanned 
ncx99.exe, included in ads.txt Alternate Data Stream, is not detected. Anyway, 
it is detected when ADS is executed like this: 

c:\>start c:\ads.txt:ncx99.exe

I suppose other AV will detect malicious ADS at execution time. Or am I wrong?

Here's another interesting fact: if KAV5 option "Real-time file protection" is 
disabled and ncx99.exe ADS is executed, WFP (Windows firewall) will not pop-up 
any warning. The port (in this case TCP/99) will be wide open and there will 
be no entries in exceptions list. Didn't tried with other firewalls.

I don't think this could be classified as security breach per se, but just as 
interesting fact.

Maybe someone can test other AVs/Firewalls and post results.


-exceed

____________________
http://www.email.si/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ