Viruses and ADS

It is a known fact that viruses exploit streams in
Windows. With this in mind, I tried out writing a
virus file to foo.exe:test and some junk to foo.exe.
Surprisingly my symantec antivirus that is running in
the background did not catch this. Can someone give
an explanation for this? I do not any other antivirus
products available with me right, does anyone know if
any antivirus s/w catches the situation where a virus
infected content is written to an ADS? Thanks.


Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/

Check this:
http://securityresponse.symantec.com/avcenter/venc/data/w2k.stream.html

Regards,
Satish K.S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-231499-
xxxxx@lists.osr.com] On Behalf Of Rufoo
Sent: Tuesday, December 27, 2005 2:02 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Viruses and ADS

It is a known fact that viruses exploit streams in
Windows. With this in mind, I tried out writing a
virus file to foo.exe:test and some junk to foo.exe.
Surprisingly my symantec antivirus that is running in
the background did not catch this. Can someone give
an explanation for this? I do not any other antivirus
products available with me right, does anyone know if
any antivirus s/w catches the situation where a virus
infected content is written to an ADS? Thanks.


Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@epiance.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks for the link. This link seems to be 5 years
old, and it doesnt answer my question. If an antivirus
product can open an archive and scan the files inside
it, why cannot it scan an ADS?

— satish wrote:

> Check this:
>
http://securityresponse.symantec.com/avcenter/venc/data/w2k.stream.html
>
> Regards,
> Satish K.S
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> [mailto:bounce-231499-
> > xxxxx@lists.osr.com] On Behalf Of Rufoo
> > Sent: Tuesday, December 27, 2005 2:02 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Viruses and ADS
> >
> > It is a known fact that viruses exploit streams in
> > Windows. With this in mind, I tried out writing a
> > virus file to foo.exe:test and some junk to
> foo.exe.
> > Surprisingly my symantec antivirus that is running
> in
> > the background did not catch this. Can someone
> give
> > an explanation for this? I do not any other
> antivirus
> > products available with me right, does anyone know
> if
> > any antivirus s/w catches the situation where a
> virus
> > infected content is written to an ADS? Thanks.
> >
> >
> >
> >
> >
> > Yahoo! for Good - Make a difference this year.
> > http://brand.yahoo.com/cybergivingweek2005/
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> xxxxx@epiance.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/

Well, Anti-virus product is going to add signature (or other complex type),
based on virus which they get client place or POC viruses available in some
websites. Blindly they don’t add it, just like that there is a feature in
OS.

Regards,
Satish K.S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-231505-
xxxxx@lists.osr.com] On Behalf Of Rufoo
Sent: Tuesday, December 27, 2005 3:01 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Viruses and ADS

Thanks for the link. This link seems to be 5 years
old, and it doesnt answer my question. If an antivirus
product can open an archive and scan the files inside
it, why cannot it scan an ADS?

— satish wrote:
>
> > Check this:
> >
> http://securityresponse.symantec.com/avcenter/venc/data/w2k.stream.html
> >
> > Regards,
> > Satish K.S
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > [mailto:bounce-231499-
> > > xxxxx@lists.osr.com] On Behalf Of Rufoo
> > > Sent: Tuesday, December 27, 2005 2:02 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] Viruses and ADS
> > >
> > > It is a known fact that viruses exploit streams in
> > > Windows. With this in mind, I tried out writing a
> > > virus file to foo.exe:test and some junk to
> > foo.exe.
> > > Surprisingly my symantec antivirus that is running
> > in
> > > the background did not catch this. Can someone
> > give
> > > an explanation for this? I do not any other
> > antivirus
> > > products available with me right, does anyone know
> > if
> > > any antivirus s/w catches the situation where a
> > virus
> > > infected content is written to an ADS? Thanks.
> > >
> > >
> > >
> > >
> > >
> > > Yahoo! for Good - Make a difference this year.
> > > http://brand.yahoo.com/cybergivingweek2005/
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as:
> > xxxxx@epiance.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
>
>
>
>
>
>

> Yahoo! for Good - Make a difference this year.
> http://brand.yahoo.com/cybergivingweek2005/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@epiance.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Just to clarify, the virus you tried to stick into the ADS is a known
virus that your Norton signatures recognized prior
to you sticking it in the ADS right?

If this functionality is missing, then I figure it wasn’t considered
necessary. For something nasty to end up in the
ads, an exe(which I assume norton would detect first) would have to put
it there (I think). I believe that if a file has
it’s ads infected with something, the infection is local. Meaning, even
if an infected user email the file (with the
infected ads) to someone else, the infection would remain local and
wouldn’t be transfered. I don’t think the
ads is transfered with a file send because other fs’s like FAT don’t
support alternate streams; could someone
correct or clarify these two issues for me?

Then again, if the infection occurred before virus defs were updated and
the ads wasn’t being checked, that would
be kinda nasty because the system wouldn’t be cleaned entirely…

I hope the scenario you described isn’t true…

Rufoo wrote:

It is a known fact that viruses exploit streams in
Windows. With this in mind, I tried out writing a
virus file to foo.exe:test and some junk to foo.exe.
Surprisingly my symantec antivirus that is running in
the background did not catch this. Can someone give
an explanation for this? I do not any other antivirus
products available with me right, does anyone know if
any antivirus s/w catches the situation where a virus
infected content is written to an ADS? Thanks.


Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

— MM wrote:

> Just to clarify, the virus you tried to stick into
> the ADS is a known
> virus that your Norton signatures recognized prior
> to you sticking it in the ADS right?
>

yes, that is right.

> If this functionality is missing, then I figure it
> wasn’t considered
> necessary. For something nasty to end up in the
> ads, an exe(which I assume norton would detect
> first) would have to put
> it there (I think). I believe that if a file has
> it’s ads infected with something, the infection is
> local. Meaning, even
> if an infected user email the file (with the
> infected ads) to someone else, the infection would
> remain local and
> wouldn’t be transfered. I don’t think the
> ads is transfered with a file send because other
> fs’s like FAT don’t
> support alternate streams; could someone
> correct or clarify these two issues for me?
>
> Then again, if the infection occurred before virus
> defs were updated and
> the ads wasn’t being checked, that would
> be kinda nasty because the system wouldn’t be
> cleaned entirely…
>

Why do you think this situation wont arise in real
life?
What if a not-yet-detected virus does something like
CreateProcess(“foo.exe:test”) (not sure if this works,
but it is surely possible to execute an ADS).

> I hope the scenario you described isn’t true…
>

__________________________________________
Yahoo! DSL – Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com

“Why do you think this situation wont arise in real
life? What if a not-yet-detected virus” - the situation has already arisen apparently.

As I stated, “Then again, if the infection occurred before virus defs were updated and
the ads wasn’t being checked”

If a virus hasn’t yet been detected or the virus defs on the computer are outdated, for
the end user the end result is the same. As I said, “I hope the scenario you described
isn’t true…”

I really don’t see why they wouldn’t include ads scanning; doesn’t seem
like it’s too hard to implement… Heck, there’s
a Visual Basic program here that will search, locate, read, and display
ads’s
http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=47299&lngWId=1

— MM wrote:
>
>
>
>>Just to clarify, the virus you tried to stick into
>>the ADS is a known
>>virus that your Norton signatures recognized prior
>>to you sticking it in the ADS right?
>>
>>
>>
>
>
>yes, that is right.
>
>
>
>>If this functionality is missing, then I figure it
>>wasn’t considered
>>necessary. For something nasty to end up in the
>>ads, an exe(which I assume norton would detect
>>first) would have to put
>>it there (I think). I believe that if a file has
>>it’s ads infected with something, the infection is
>>local. Meaning, even
>>if an infected user email the file (with the
>>infected ads) to someone else, the infection would
>>remain local and
>>wouldn’t be transfered. I don’t think the
>>ads is transfered with a file send because other
>>fs’s like FAT don’t
>>support alternate streams; could someone
>>correct or clarify these two issues for me?
>>
>>Then again, if the infection occurred before virus
>>defs were updated and
>>the ads wasn’t being checked, that would
>>be kinda nasty because the system wouldn’t be
>>cleaned entirely…
>>
>>
>>
>
>Why do you think this situation wont arise in real
>life?
>What if a not-yet-detected virus does something like
>CreateProcess(“foo.exe:test”) (not sure if this works,
>but it is surely possible to execute an ADS).
>
>
>
>
>>I hope the scenario you described isn’t true…
>>
>>
>>
>
>
>
>
> __________________________________________
>Yahoo! DSL – Something to write home about.
>Just $16.99/mo. or less.
>dsl.yahoo.com
>
>
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

> Thanks for the link. This link seems to be 5 years

old, and it doesnt answer my question. If an antivirus
product can open an archive and scan the files inside
it, why cannot it scan an ADS?
They can. AFAIK all are able to do this *now* after there was some note out
on the security-related lists which said some were not yet able at that time

  • this was somewhen during the last 2 years.

If this functionality is missing, then I figure it wasn’t considered
necessary. For something nasty to end up in the
ads, an exe(which I assume norton would detect first) would have to put
it there (I think). I believe that if a file has
it’s ads infected with something, the infection is local. Meaning, even
if an infected user email the file (with the
infected ads) to someone else, the infection would remain local and
wouldn’t be transfered. I don’t think the
ads is transfered with a file send because other fs’s like FAT don’t
support alternate streams; could someone
correct or clarify these two issues for me?
WinRAR supports ADS, too. So it would indeed be possible to get it from one
machine to another. WinRAR also supports EA.
Considering the fact that many people are pushed to use NTFS, by magazines,
because it is safer can help to make it more “attractive” to use ADS as a
virus writer.

However, I think this discussion is a little misplaced here and should be
held on a security-related list such as the microsoft list on
security-focus.

Oliver

May the source be with you, stranger :wink:

ICQ: #281645
URL: http://assarbad.net