Re: Glad we did not add NTFS stream support

• Next message: Andrey Savochkin: "Re: eepro100 trouble"
• Previous message: Gregory Maxwell: "Re: Availability of kdb"
• In reply to: Trevor Harrison: "Re: Glad we did not add NTFS stream support"
• Next in thread: Trevor Harrison: "Re: Glad we did not add NTFS stream support"
• Reply: Trevor Harrison: "Re: Glad we did not add NTFS stream support"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 06 Sep 2000, Trevor Harrison wrote:
>Don't be a dim-wit. The only reason its a problem on NT is that MS decided to
>not allow users to browse the other data streams (or forks, or whatever you
>want to call them) in Explorer.
>
>Actually, this type of virus is probably easier to find and clean because its
>isolated itself in a nice little package that you can nuke at via the file
>system.

Ummm maybe. A SANS newsletter indicated that none of the current virus scanners
even look at the other data streams (yet). Determining if the default stream
is actually infected could be problematical too - consider that the signature
of the virus might be a VERY short piece of code that looks just like other
pieces that do ligitimate functions (like start another process...). This could
give many false positives, making a scan nearly useless.

This also gives rise to the posibility of hiding a virus via a chain of
block reads, where each block is read over the previous block, but offset
by a few 10s of bytes. After 20 blocks are read the complete virus exists.
The virus signature is scattered across many blocks and is not contigueous
for a virus scanner. If the data is loaded from several different streams
(interleaved, of course) it would be even harder to locate. Yet the virus
signature is still missing since reading blocks of data is a fairly normal
thing to do.

Nasty little bugger.

The current NT utilities also have a problem in that a stream could consume
the entire disk, but not be visible to the standard utilities - they don't
list file size of any but the default stream.

Of an interesting note: one of the suggested fixes involved copying the
infected file to a "non windows system such as Linux..." (paraphrased.. not
real quote) and then copying it back without the alternate stream(s).

-- 
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@cats-chateau.net
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Andrey Savochkin: "Re: eepro100 trouble"
• Previous message: Gregory Maxwell: "Re: Availability of kdb"
• In reply to: Trevor Harrison: "Re: Glad we did not add NTFS stream support"
• Next in thread: Trevor Harrison: "Re: Glad we did not add NTFS stream support"
• Reply: Trevor Harrison: "Re: Glad we did not add NTFS stream support"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:28 EST