siliconman01
Global Moderator
Trojans! Chew 'em Up, Spit 'em Out...
Gender: 
Posts: 5641
|
 |
Alternate Data Streams- Big Deal or Not?
« on: Jan 25th, 2006, 2:40pm » |
|
"A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides hackers with a method of hiding root kits or hacker tools on a breached system and allows them to be executed without being detected by the systems administrator."
The above quote is from Hidden Threat: Alternate Data Streams by Ray Zadjmool, issued 24-March-2004. The entire article can be read at http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
This threat potential is the reason TrojanHunter tests for Alternate Data Streams (ADS) on systems that are NTFS enabled (Windows 2000, NT, XP and Vista).
Unfortunately, Microsoft has induced a complication for users to contend with when evaluating TrojanHunter's log output during a scan. With the issuance of Windows XP-SP2 and Vista, an Alternate Data Stream named Zone.Identifier is automatically attached to files that are downloaded from the Internet to a NTFS volume. This small ADS is used by Windows XP and Vista as security data for determining the publisher/source of the downloaded file. A further explanation of Zone.Identifier can be found at the following web site: http://www.sandersonforensics.co.uk/Files/ZoneIdentifier.pdf
Thus, a Windows XP-SP2 or Vista user downloading a file from the Internet and scanning it with TrojanHunter will be alerted that an ADS named Zone.Identifier is found. Through TrojanHunter, the user can view and then SAFELY remove this specific ADS without any detrimental affect on the downloaded file itself. After removing the Zone.Identifier ADS, the user will find that TrojanHunter no longer alerts that the file has an Alternate Data Stream.
To View and Remove an ADS found by TrojanHunter V5.0
1. Wait for TrojanHunter scanner to complete the scan in progress.
2. In the Scan Report window, right click on the line entry of the identified file with the Alternate Data Stream.
- Select "View Alternate Data Stream" to view the ADS.
- Select "Delete Alternate Data Stream" to remove the ADS. Confirm.
Files having Alternate Data Streams other than Zone.Identifier should be further investigated as potentially malicious. These files can be submitted via email attachments for analysis to submit*at*misec.net (where *at* = @).
NOTE:
1. Another method that can be used to remove an Alternate Data Stream from a file is to copy the file to a non-NTFS volume such as a floppy disk. Copy the file back to its original location and the ADS will be non-existent.
Removal method applies to TrojanHunter V5.0
|
Mischel Internet Security Forum
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register