I did a quick test today...I updated Norton AntiVirus
2000 w/ the latest sig files, and disabled
AutoProtect. I then copied 'tini.exe' (backdoor
trojan from NTSecurity.nu) from a CD to c:\temp. I
then scanned the directory, and Norton picked up the
backdoor right away.
I then moved the trojan to an alternate data stream
(ADS):
c:\temp>type tini.exe > myfile.txt:tini.exe
c:\temp>del tini.exe
Re-running the scan produced NO results. Yet,
tini.exe is clearly (well, 'clearly' if you use other
tools not available from Microsoft) shows the presence
of the file in the ADS:
C:\tools>ads c:\temp
Scanning directory c:\temp\
size ADS in file
---------- ---------------------------------
3072 c:\temp\myfile.txt:tini.exe
Now, considering that there are at least 5 methods of
running files from within ADSs on NTFS5 (only 1
documented method on NTFS4), how does this bode for
the future of incident response and forensics?
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 13:57:21 PST