SecuriTeam Blogs » Disappearing Acts

Disappearing Acts

June 7th, 2006 by ido, Filed under: Insider Threat, Microsoft, Virus

Human history is marked with many years that caused people to fear from the unknown, just because it is unknown…
You may think that we have learn by now that we must know things in order to use and trust them …

Well I read a small advisory about NTFS Data Stream.

For those of you that do not know, data streams allow users to set file properties that can store any amount of data, and can be accessed only when you know the name of that stream.

When using a Data stream of NTFS , the original file size or content is not effected, so in fact, I can hide information from other users, that do not know what are the names of the file custom properties.

Yea this issue is very very old, we at SecuriTeam reported it back in 1998. So why is it, that still most AntiVirus out there do not scan these sections ?

Why I can still bypass Quota settings, and evade other users ?
While Microsoft have made a long road from not caring about security issues, to actually fix them, they still do not touch the “by design” security risks, just like when the WMF gate has merged. Now a very old issue is raising again.

So, now it’s time for us to see if Microsoft will wait for a new highly contiguous worm. or we shell see Redmond taking a nice marketing step and fix this by design issue prior to that…

http://anti-virus-rants.blogspot.com/ kurt wismer

there are actually quite a number of different types of containers (besides data streams) that anti-virus products don’t scan inside reliably or at all…

i believe the argument is that in order for malware inside such containers to run, it has to come out and then the on-access scanner will get it…

personally i’m not comfortable with the idea that detection is becoming dependent on on-access scanning – i’d prefer to be able to find these things after booting from a known-clean bootable medium…
http://BeyondSecurity.com ido

Theoretically, waiting for something to try and hurt you, instead of finding if there is something that is going to hurt you, sounds really bad idea.
If we know that a person is violent, and we know that he have a gun, would it be better to take his gun, rather then waiting in the corner and see if that person will use it and then try to prevent it ?
What will happen if that person will shot us first, who will stop him then ?
No one grantee you that the malicious code, is not going first of all hurt the programs that are going to protect us from it…
IMHO, it’s better to remove all the hidden sections from the spec and the way things are working, rather then try to figure out if something is trying to use them.
sunshine

I’m with Kurt. He knows his Anti Viruses far better than I do. It is not practical however for an end user to rely on shutting everything down.. just won’t happen.
http://anti-virus-rants.blogspot.com kurt wismer

Theoretically, waiting for something to try and hurt you, instead of finding if there is something that is going to hurt you, sounds really bad idea.

i agree, that’s why i’m not comfortable with the growing dependence on on-access scanning… better to have an on-demand scanner detect it while it’s still in the container than rely on an on-access scanner to detect it the moment it comes out… the earlier in the malware’s life-cycle that you can detect it the better…
of course that means generic behaviour based approaches are even worse as they not only wait until after the malware has started executing, they wait until it tries to do something bad (by which point the behaviour monitor may have already been shut down by the malware)…
Pingback: SecuriTeam Blogs » NTFS Streams: Rootkit In-the-WIld?

Disappearing Acts

Categories

More Securiteam

New

Comments

Admin