NTFS Streams: Rootkit In-the-WIld?

there is a discussion over at sysinternals about a rootkit found itw. apparently, it uses ntfs streams to hide.

this vulnerability is being “discovered” about once every 2 years, and now we can see what appears to be a first use for it (that we know of). we first reported it in 1998:

ido discussed the ntfs streams issue a few days ago:

you can read more about it here:

gadi evron,

  • Anonymous Coward


    It isn’t just an NTFS stream, but a hidden NTFS stream.

  • http://www.whiteacid.org Sid

    All NTFS streams are hidden, or so I thought. I know other virii have taken advantage of streams, but as far as I know they always remained PoC, is this the first piece of malware using streams to hide data?

    Maybe AV developers will finally start scanning these streams.

  • http://www.gmer.net gmer

    Here you have the report:

    Does Symantec knows only 50% of truth ?

  • http://www.antirootkit.com Steo

    The fact that any antivirus company would ignore any proof of concept rootkit goes to show how committed they really are.