[plug] [OT] Security problems with NTFS

Chris Caston caston at arach.net.au
Thu Oct 23 19:48:31 WST 2003 

And it's already been done:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_DUMARU.A&VSect=T

On Thu, 2003-10-23 at 19:43, Chris Caston wrote:
> I saw a mate of mine playing around with this "feature" several months
> ago. It's interesting but I couldn't for the life of me think of a
> practical application. Perhaps it could use it to hide executable code
> on a compromised system but you would still need some level of access to
> execute it again.
> 
> Or possibly someone could write a virus that hide most of itself in an
> alternative data stream. That one is probably more likely.
> 
> regards,
> 
> Chris Caston
> 
> On Thu, 2003-10-23 at 19:26, Stephen Boak wrote:
> > This may be old hat to those of you who follow security closely, but
> > it came as a suprise to me so I will pass it on.  Even if it does not
> > affect you personally, I expect some of you manage corporate users
> > with NTFS  filesystems who like their security to actualy work :)
> > 
> > http://www.seifried.org/security/advisories/kssa-003.html
> > 
> > <quote>
> > 
> > In the NTFS file system a facility exists to bind additional data to
> > a file or directory, called an alternate data stream [url1][url2].
> > These alternate data streams cannot be be removed, unless the parent
> > file or directory is destroyed. Unfortunately most file wiping
> > utilities only deal with the primary data stream and do not wipe the
> > alternate data streams, thus leaving data intact.
> > 
> > </quote>
> > 
> > I know this is OT on this list, but they do mention using Linux to
> > search the affected drive to demonstrate the problem :)
> > 
> > Steve
> > 
> > 
> > _______________________________________________
> > plug mailing list
> > plug at plug.linux.org.au
> > http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> > 
> 
> _______________________________________________
> plug mailing list
> plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> 

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list