--On Friday, August 21, 2009 07:30:37 -0500 Leandro Malaquias <[email protected]> wrote:
> > http://www.thinkdigit.com/General/Hidden-Threat-NTFS-Alternate-Data-Streams-A > DS_3328.html > Whoever wrote this specializes in hyperbole. ADS is not hidden. It's completely accessible. For example, you can view the ADS in Word documents within Word. ADS is where some file metadata is stored. Yes, it's not viewable in Windows Explorer, but if you want more transparency with ADS, you can add ADS to the Properties tabs of the file system and view ADS for every file in the GUI by using StrmExt.dll. http://msdn.microsoft.com/en-us/library/ms810604.aspx Furthermore, executable content in an ADS cannot be run in some mysterious hidden fashion. It is called just like any other executable and runs in memory just like any other executable. Sure, you can "hide" stuff there, but it's not hidden when it's running. Finally, all reputable a/v companies already scan ADS for malicious code. -- Paul Schmehl ([email protected]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
