Thursday, April 1, 2010

Who do you trust to find your ADS?


What are ADS or Alternative data streams?

Alternate data streams allow more than one data stream to be associated with a filename, using the filename format "filename:streamname" (e.g., "text.txt:extrastream"). Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Only the main stream of a file is preserved when it is copied to a FAT-formatted USB drive, attached to an e-mail, or uploaded to a website. As a result, using alternate streams for critical data may cause problems.



Why you should care about ADS?

One reason you should care is even though this has been around for quite some time now its still has a very high rate of success when implemented in a piece of malware. The ability to hide behind a know system file without changing the file size can be very deceiving. 



Another important reason as stated by http://www.rootkitanalytics.com/, is due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.


Below is a brief illustration of what this looks like:




Now before you start worrying yourself there is hope on the horizon thanks to tools like "StreamArmor" .


What is Stream Armor you might ask? 


StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams. 


Or as I prefer to call it, the first step in the first direction... Don't get me wrong the are other great tools out there like streams from Microsoft or Gmer but after using StreamArmor recently I don't see how I could go back to those tools.


I decided to see how  StreamArmor would performs when compared to  two of their competitors (Streams and Gmer ). I created several ADS samples and split them up into  two folders on my C drive, then scanned both folders with each program twice.


My sample streams included the following:
  • 12 streams in total
  • I placed various files (exe, png, and avi)  behind a few .txt, .doc, bmp and .pub documents.
  • I then encrypted one of those files, zipped two of them (one with Windows 7 build in compression and the other with winrar).
                                       Microsoft Streams Results 9 out of 12


Gmer scan results: 5 out of 12


StreamArmor results: 9 out of 12

                                              
In the end both StreamArmor and MS Streams  found 9 out of 12, none of them found the ADS that were zipped or the one that was encrypted (not that I expected the encrypted files to be discovered). At this point I am as confident as when I started writing this post "StreamArmor is my preferred choice". The ability to export great reports, easy to do run customize scans, and overall the results are not difficult to interpret.
                                                
For more further reading and examples visit the below links:

http://www.auscert.org.au/render.html?it=7967 


http://www.irongeek.com/i.php?page=security/altds


http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

http://www.gmer.net/

http://www.rootkitanalytics.com/tools/streamarmor.php




No comments:

Post a Comment