NTFS Streams: Rootkit In-the-WIld?

there is a discussion over at sysinternals about a rootkit found itw. apparently, it uses ntfs streams to hide.

this vulnerability is being “discovered” about once every 2 years, and now we can see what appears to be a first use for it (that we know of). we first reported it in 1998:
http://www.securiteam.com/windowsntfocus/3h5pqs0n5g.html

ido discussed the ntfs streams issue a few days ago:
http://blogs.securiteam.com/index.php/archives/430

you can read more about it here:
http://www.sysinternals.com/forum/forum_posts.asp?tid=6084&pn=1

gadi evron,
ge@beyondsecurity.com.

Share
  • Anonymous Coward

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.rustock.a.html

    It isn’t just an NTFS stream, but a hidden NTFS stream.

  • http://www.whiteacid.org Sid

    All NTFS streams are hidden, or so I thought. I know other virii have taken advantage of streams, but as far as I know they always remained PoC, is this the first piece of malware using streams to hide data?

    Maybe AV developers will finally start scanning these streams.

  • http://www.gmer.net gmer

    Here you have the report:
    pe386

    Does Symantec knows only 50% of truth ?

  • http://www.antirootkit.com Steo

    The fact that any antivirus company would ignore any proof of concept rootkit goes to show how committed they really are.