Full Disclosure: Re: NTFS Alternate Data Stream

Re: NTFS Alternate Data Stream

From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 21 Aug 2009 17:37:41 +0000

--On Friday, August 21, 2009 07:30:37 -0500 Leandro Malaquias 
<lm.net.security () gmail com> wrote:


http://www.thinkdigit.com/General/Hidden-Threat-NTFS-Alternate-Data-Streams-A
DS_3328.html


Whoever wrote this specializes in hyperbole.  ADS is not hidden.  It's 
completely accessible.  For example, you can view the ADS in Word documents 
within Word.  ADS is where some file metadata is stored.  Yes, it's not 
viewable in Windows Explorer, but if you want more transparency with ADS, you 
can add ADS to the Properties tabs of the file system and view ADS for every 
file in the GUI by using StrmExt.dll. 
http://msdn.microsoft.com/en-us/library/ms810604.aspx

Furthermore, executable content in an ADS cannot be run in some mysterious 
hidden fashion.  It is called just like any other executable and runs in memory 
just like any other executable.  Sure, you can "hide" stuff there, but it's not 
hidden when it's running.

Finally, all reputable a/v companies already scan ADS for malicious code.

-- 
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

NTFS Alternate Data Stream Leandro Malaquias (Aug 21)
- Free wlan sniffer for vista TK (Aug 21)
  - Re: Free wlan sniffer for vista Andrew Kuriger (Aug 21)
  - Re: Free wlan sniffer for vista Jon Janego (Aug 23)
- Re: NTFS Alternate Data Stream Paul Schmehl (Aug 23)