lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <B1F818320CAB42D9E3F60D6D@utd65257.utdallas.edu>
Date: Fri, 21 Aug 2009 17:37:41 +0000
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: NTFS Alternate Data Stream

--On Friday, August 21, 2009 07:30:37 -0500 Leandro Malaquias 
<lm.net.security@...il.com> wrote:

>
> http://www.thinkdigit.com/General/Hidden-Threat-NTFS-Alternate-Data-Streams-A
> DS_3328.html
>

Whoever wrote this specializes in hyperbole.  ADS is not hidden.  It's 
completely accessible.  For example, you can view the ADS in Word documents 
within Word.  ADS is where some file metadata is stored.  Yes, it's not 
viewable in Windows Explorer, but if you want more transparency with ADS, you 
can add ADS to the Properties tabs of the file system and view ADS for every 
file in the GUI by using StrmExt.dll. 
http://msdn.microsoft.com/en-us/library/ms810604.aspx

Furthermore, executable content in an ADS cannot be run in some mysterious 
hidden fashion.  It is called just like any other executable and runs in memory 
just like any other executable.  Sure, you can "hide" stuff there, but it's not 
hidden when it's running.

Finally, all reputable a/v companies already scan ADS for malicious code.

-- 
Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ