Jump to content

Spyware using Alternate Data Streams?


 Share

Recommended Posts

Hi all,

I ran across a couple of interesting problems recently while cleaning a spyware-laden box for a friend (450 MHz AMD, XP Home SP2, 20GB Hard drive set up as one big NTFS partition).

Virus Encyclopedias tell me that trojan-downloaders may infect the restore points, which are located here:

C:\System Volume Information\_restore{alphanumericstring-that-looks-like-CLSIDkey}\rp123\somefile.ext (with copies of registry files in child dirs for each restore point).

After I deleted the spyware from Windows and the restore points, I ran Kaspersky online scan (it uses ActiveX). Kaspersky was able to look at a few of these files, but mostly it said the files were locked (in use), so they were skipped.

Here's the interesting part: I thought Kaspersky saw the 'registry-like' name of the parent directory and refused to look in there because of that. But when I use linux to copy the DLL files (some .SAM files, other extensions) to another location, say, C:\badstuff\*.* (NOT in WINDOWS or child dirs of WINDOWS), Kaspersky's online scan STILL says the files are locked. Why? The original infector is gone, so the files aren't hidden, and no secret process or cloaking scheme can hide suspicious activity (or the infected file) from Windows or anti-malware tools. Perhaps NTFS attributes told Kaspersky not to look at the files? Why did this happen?

FIRST QUESTION: Any ideas why Windows always says the files are locked? (With a linux browser, I can submit them to the testing sites Virus Total or Jotti's virus Meta-submitter, one file at a time, with no problem. That's how I know the restore points were, in fact, completely compromised and infected.)

SECOND question: Here is an excerpt from the Kaspersky report (I saved a copy):

C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream\data0002\data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped

C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream\data0002 Infected:Trojan-Downloader.Win32.PurityScan.eh skipped

C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream\data0004 Infected: not-a-virus:Adware.Win32.Mostofate.u skipped

C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream Infected: not-a-virus:Adware.Win32.Mostofate.u skipped

C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe NSIS: Infected - 4 skipped

I have read that spyware is starting to use alternate data streams to conceal and spread. Is that what is happening here? I thought "simple" trojan downloaders wouldn't use such 'sophisticated' measures. Googling "Alternate Data Streams" tells me to use a colon with certain commands to insert text files, executables, etc. into an ADS. After they're inserted (and if these streams are in use here), could they be thought of as being in the same "directory tree" as the files they're associated with? That seems to be what the Kaspersky report is saying.

Any thoughts on these two matters?

Thanks in advance,

Edited by saturndude
Link to comment
Share on other sites


I have read that spyware is starting to use alternate data streams to conceal and spread. Is that what is happening here?

It seems like it, if I had to guess. The files are always locked because the ADSes are probably in current use on the system.

I thought "simple" trojan downloaders wouldn't use such 'sophisticated' measures. Googling "Alternate Data Streams" tells me to use a colon with certain commands to insert text files, executables, etc. into an ADS.

It's not exactly sophisticated, as I'm sure you've seen. ADS is a feature of all NTFS based drives, and you've seen how easy it is to both insert and read these data streams. As you will see, it's not a very much used feature (IE will use it to put icon files into the link files, and Windows will use it for a couple of other inane things).

Just because it isn't used doesn't mean it's not useful to someone. And human nature always is this: If something can be used for a beneficial purpose, it can also be used for a nefarious one. Of course this isn't as messed up as the day of the Word VBScript viruses (and Microsoft's vehement denials that it could ever be used for that purpose), but it's still bad. Obscurity of this knowledge is what the virus/malware writers are counting on, but it will be a matter of time before all the scanners are looking for this kind of data and people know about the feature, making it useless to them.

After they're inserted (and if these streams are in use here), could they be thought of as being in the same "directory tree" as the files they're associated with? That seems to be what the Kaspersky report is saying.

Yes. The ADS is associated with the file in question. The major problem, though, is that you wouldn't know any different through regular programs such as Windows Explorer, etc. You could have a 1K text file with a 10MB zip file in ADS, and you wouldn't be any the wiser (Explorer would show 1K text file).

Hide sensitive files with ADSes explains all the how-tos regarding the issue.

Use ADSSpy to scan your drive for ADSes and kill them.

Edited by Glenn9999
Link to comment
Share on other sites

This is also why most virus removal instructions include disabling system restore for the duration of the cleaning - these files can contain the virulent data in their ADS, and you won't be able to clean them easily.

Link to comment
Share on other sites

ADSSpy is excellent I use it a lot.

ADS streams are noticeable by : in the path after the normal file.

C:\normal.txt:adsfile.txt

I don't think you have this. the : is simply the one after infected. Besides windows and other programs legitimately use ADS streams to store metadata about the file.

I think what you have is simply the viruses hiding in the restore points. If Kaspersky had been scanning inside a zip file the path may have been: file.zip\virus.vrs

If the virus has been in the ADS of the zip file the path might have been: file.zip:virus.vrs

In your case if you simply put a new line before every Kaspersky states it becomes a lot easier to read:

C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream

Infected: not-a-virus:Adware.Win32.Mostofate.u skipped

Like zip files EXE can contain other files so that is why they can have the \ after them in the path.

System Volume Information in not usually accessible in Windows with default settings but it is there and does contain folders like that.

My vote, like cluberti's, would simply be you have to disable system, restore to delete the restore points to kill the virus that are hiding in them. You can enable it again once you are sure you have a clean system.

Best Wishes,

Matt

Glenn9999:

The ADS is associated with the file in question. The major problem, though, is that you wouldn't know any different through regular programs such as Windows Explorer, etc. You could have a 1K text file with a 10MB zip file in ADS, and you wouldn't be any the wiser (Explorer would show 1K text file).

Yeah. That's spot on. Without ADSSpy can you imagine the difficulty in removing thousands of random name 1mb ADS files from the root directory or Windows folder. Especially with no 'apparent' free space to work with a GUI. I've been there, wasn't fun at all.

Edited by MattyUSA
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...