copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

Malware utilising Alternate Data Streams?

Date: 21 August 2007

Click here for printable version

Hi Members,

We just wanted to let you know of something we've seen recently that is a little out of the ordinary.

We came across a binary hosted on a malicious website, with the following attributes:

MD5: 739471452ff55649e4dbf2f79bd003d9
SHA1: 09caa0bf8f74964329995d08f65fab137a5674dc
Size: 58880 Bytes
Packer: UPX (standard)

Detection was as follows:

AhnLab-V3 2007.8.9.1 2007.08.09 -
AntiVir 7.4.0.57 2007.08.08 TR/Obfuscated.GP.41
Authentium 4.93.8 2007.08.08 -
Avast 4.7.1029.0 2007.08.08 -
AVG 7.5.0.476 2007.08.08 -
BitDefender 7.2 2007.08.09 -
CAT-QuickHeal 9.00 2007.08.08 -
ClamAV 0.91 2007.08.09 -
DrWeb 4.33 2007.08.09 -
eSafe 7.0.15.0 2007.07.31 suspicious Trojan/Worm
eTrust-Vet 31.1.5043 2007.08.08 -
Ewido 4.0 2007.08.08 -
FileAdvisor 1 2007.08.09 -
Fortinet 2.91.0.0 2007.08.09 W32/Agent.BSE!tr
F-Prot 4.3.2.48 2007.08.08 -
F-Secure 6.70.13030.0 2007.08.09 Trojan.Win32.Obfuscated.gp
Ikarus T3.1.1.12 2007.08.08 Trojan.Win32.Agent.alt
Kaspersky 4.0.2.24 2007.08.09 Trojan.Win32.Obfuscated.gp
McAfee 5093 2007.08.08 -
Microsoft 1.2704 2007.08.09 -
NOD32v2 2445 2007.08.08 -
Norman 5.80.02 2007.08.08 -
Panda 9.0.0.4 2007.08.08 -
Prevx1 V2 2007.08.09 -
Rising 19.35.30.00 2007.08.09 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.09 -
Symantec 10 2007.08.09 -
TheHacker 6.1.7.165 2007.08.09 -
VBA32 3.12.2.2 2007.08.09 -
VirusBuster 4.3.26:9 2007.08.08 -
Webwasher-Gateway 6.0.1 2007.08.09 Trojan.Obfuscated.GP.41
Malware detected by 7 vendors out of 32 - 21.875% detection rate.

So, the interesting bit then: This malware makes use of a little known feature of NTFS called Alternate Data Streams, or to those that use Macs: resource forks.

NOTE: This bit is intended for people that DON'T know what an ADS is, and how it works:

See http://support.microsoft.com/kb/105763 for a code example.

Essentially, you can attach any file to any other file, and make that file (and the storage it consumes) effectively invisible.

Visually it looks like this (given a file called test.txt):


Default-Stream


   ::$Data (What explorer shows)

NamedStream0


   test.txt:malware.exe

NamedStream1


   test.txt:malware.dll

There are no built in windows tools that allow you to view ADS attached to files. If you know the name of the stream, you can access it via a command prompt (as shown in the above kb article).

Oh and if you attach a 500MB file to a 1k file, explorer will still show the file size as 1k. Nice.

Note that the presence of an additional streams in a file do not necessarily indicate the presence of malware, they DO have legit uses:

  • Zone information - IE attaches zone information to files to identify where they were downloaded from (you can use software restriction policies to prevent execution of files downloaded from specific zones)
  • The "Summary" section of a file properties dialog box may contain information stored in ADS.

Several third party tools are available for viewing file streams:

lads.exe (Frank Heyne)
streams.exe (Sysinternals)
gmer.exe (gmer)

Might be time to add one or more of these to the kits ladies and gents.

Anyway, I thought the whole thing was worth a mention. So I did.

We'd love to hear your thoughts, or similar experiences.

MacLeonard