Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
- To: "MLUG Members" <EMAIL:PROTECTED>
- Subject: RE: [MLUG] Alternative Data Streams
- From: "Harris, Michael C." <EMAIL:PROTECTED>
- Date: Mon, 11 Sep 2006 10:37:00 -0500
- Delivery-date: Mon, 11 Sep 2006 10:37:28 -0500
- Envelope-to: EMAIL:PROTECTED
- In-reply-to: <EMAIL:PROTECTED>
- Reply-to: MLUG Members <EMAIL:PROTECTED>
- Sender: EMAIL:PROTECTED
- Thread-index: AcbVRI50aK3kp6ZYQQmAPChPEc0C8wAbhtAAAAC4zbA=
- Thread-topic: [MLUG] Alternative Data Streams
I realize this isn't a Windows list but this has been around for a long time (better than 10 years) a good detailed explanation and demonstration can be found at http://www.securityfocus.com/infocus/1822
This has been a common method used in malware, root kits, droppers etc for many years. Often files are hidden within alt data streams in trash can and temp file spaces in particular.
Make a file hidden and system in trash can directors and the system won't clean it up and it will be largely invisible. The alt stream directory content can hide there for a long time.
Most current AV and malware engines do make an attempt to deal with alternate data streams.
Also the Foundstone Forensic toolkit can search for hidden and Alt data stream files \
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/overview.htm%3Ffilename%3DForensicToolkit20.zip
Sorry for the long link, just Google for "foundstone forensic toolkit"
Mike
KCØPAH
-----Original Message-----
From: EMAIL:PROTECTED [mailto:EMAIL:PROTECTED] On Behalf Of Fallert, Adam Christian
Sent: Monday, September 11, 2006 10:03 AM
To: MLUG Members
Subject: RE: [MLUG] Alternative Data Streams
I would hope that spyware scanners, malware scanners, and other system scanners have ways to search for AltDS files and remove them if necessary. I will have to look into this more.
--Adam
-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED] On Behalf Of Mike Miller
Sent: Sunday, September 10, 2006 8:49 PM
To: MLUG Members
Subject: RE: [MLUG] Alternative Data Streams
On Sun, 10 Sep 2006, Mark Rupright wrote:
> http://www.irongeek.com/i.php?page=security/altds
So AltDS has been a feature of MS Windows NTFS since at least 2000 and it is also in NT, so it might even be older. I guess if it's going to cause problems for security pros and users, it already is doing that.
Mike
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact