- If you find it, you can delete it. - Panda software, a respected anti-virus and anti-malware vendor, reports that from January – March of 2006, 70% of the malware released on the Internet was trying to make money for the authors in one way or another. - When you share files between a Mac and Windows, that additional information is kept in an ADS on the NTFS-based Windows system. - ADSs seem to be the best kept secret of the Microsoft world. - Very few people, including those holding Microsoft certifications, are aware of them, although they are reasonably well understood in the computer forensics community. - This is made worse by the fact that much of the information available about ADSs on the Internet is either out of date or simply wrong. - Because of the amount of misinformation out there, everything in this paper has been verified on test systems.. - The file in front is the only one visible in Windows Explorer or via the dir command. - In fact, the only telltale sign is that the date-time stamp of the visible file changes to the time the ADS is created (even a one-way hash of the visible file using something like MD5 does not change). - You can put an ADS behind another file or behind a directory.. - You can put multiple files behind a single file or directory.. - Copying or moving a file within the NTFS file system does not affect the ADS. - E-mailing the file as an attachment can destroy the ADS.. - The visible file is unaffected by the ADS. - For example, placing an ADS behind the system calculator does not affect the operation of the calculator.. - As noted above and demonstrated below, the date-time stamp on the visible file changes when an ADS is cre- ated behind it. - However, utilities exist to manipulate those date-time stamps and make them say anything you want. - If those utilities exist, then clearly the malware author could include similar functions in an install pro- gram to reset date-time stamps. - Two utilities to manipulate date-time stamps are:. - Creating an ADS is actually very simple. - The command below will fork the system calculator behind a file in the root directory file called somefile.txt. - The second command executes that copy of the calculator. - (A much more detailed example follows below.) This command does not affect the original system calculator—it creates a copy of the calculator behind somefile.txt. - Notice the use of the colon in these commands:. - type c:\windows\system32\calc.exe>c:\somefile.txt:calc.exe start c:\somefile.txt:calc.exe. - The command below would place the Notepad executable into an ADS behind a directory c:\ads (the directory must already exist). - type c:\windows\system32\notepad.exe>c:\ads:notepad.exe. - Move the file or directory to a FAT file system. - •You could use the commands below to get rid of an ADS behind a file named anyfile.txt in this example.. - Note that these commands do not work with a directory:. - ren c:\anyfile.txt c:\temp.txt type c:\temp.exe c:\anyfile.exe del temp.exe. - http://www.spywareinfo.com/~merijn/downloads.html and scroll down the page, you will find the utility ADS Spy. - A second utility, lads.exe is a command line utility. - If you were to put lads.exe in the C:\ directory, the command below creates a file containing a listing of all the ADS files on your system:. - C:\lads.exe /S >. - C:\ads-list.txt. - Without that, it only looks in the present directory. - You can also spec- ify a directory you want it to scan. - You can download lads.exe from http://www.heysoft.de/Frames/f_sw_la_en.htm.. - The existence of an ADS on your system is not necessarily malicious. - We have identified at least three times when an ADS will exist legitimately:. - When you use Microsoft Internet Explorer (at least through version 6) to download and save files from the Internet, the browser creates an ADS called Zone.Identifier. - This file contains information about the Internet zone from which the file was downloaded. - In the Windows XP Windows Explorer, if you choose the View –>. - Thumbnails option for pictures, it appears to create the thumbnail as an ADS. - Very informative, as you can see. - Using a command line, it is possible to create and execute an ADS. - Note that everything you see below is on a Windows XP SP2 system. - When we make the copy, we give the file a new name to differentiate the copy we are working in from the actual system executable. - Note that the new directory and copying the file is not required, we just don’t want to take a chance on messing up the actual system executables.. - Once we make the copy, we do a dir command and see that the date-time stamp on calc-ads.exe is AM and the size is 114,688 bytes.. - We then do the type command to place the notepad.exe executable behind the calc-ads.exe file (notice the colon between the filenames). - This creates the ADS. - Note that we call the streamed file notepad-ads.exe to make sure we are using the copies and not the real system executables.. - We do a dir again and see that the date/time stamp of calc-ads.exe has changed to PM.. - Note that it now shows the time we created the ADS. - however, the file size is unchanged at 114,688 bytes.. - (We will not demonstrate the date-time stamp changing utilities we mention above, but have tested them, and they do, indeed, work.). - With the ADS created, we are ready to execute it. - In the command line window above, you see the start command, which is how you execute a file hidden as an ADS. - You can see that Notepad is open. - In the Task Manager, you see calc-ads.exe:notepad-ads.exe, which shows that it is, indeed, the ADS that executed.. - Note that the screen shot in Figure 2 is from Windows XP. - If you do this on Windows 2000 or prior, the Task Manager process would show up as simply calc-ads.exe.. - If an ADS executable is installing spyware on a system, the process would terminate before you can get logged in. - Therefore, it would not show up in the process table at all, since it is already done running. - You should be able to see that type of program in the process table. - In the latter case, you should expect the person who places the key logger on your system to be as creative and deceptive as possible in naming the executable in an attempt to make it look innocuous.. - As we stated above, you can see the file size/date-time phenomenon in Windows Explorer, as well as the com- mand line. - Figure 3 shows the calc-ads.exe before the ADS creation. - note the file size and date-time stamp. - Figure 4 shows the file after the ADS creation with the same size, but a different date-time. - Again, the only telltale sign is the date-time stamp. - Instead, we will use the utilities mentioned above as a continuation of the demonstration. - We will use ADS Spy to delete the ADS, and LADS to check our progress.. - We begin by running the lads command with no command line switches so the program looks only in the present working directory, c:\ads in this case. - In Figure 5, we can see the lads command finding the notepad-ads.exe ADS.. - lads.exe showing the ADS. - In Figure 6, we have run ADS Spy set to scan only the c:\ads folder. - You can see that it also found the notepad-ads.exe hidden file. - ADS Spy—deleting an ADS. - ADS Spy removal warning. - Note that the warning in Figure 7 states, “They will be deleted permanently!” In other words, they will not be placed in the Recycle Bin for later recovery. - Obviously, care should be used with ADS Spy.. - After clicking the Yes button in Figure 7, we again run the lads command and see that it finds no ADSs (inci- dentally, ADS Spy would not find any now either). - Therefore, we see that removal of the ADS succeeded.. - lads.exe confirming ADS removal. - Unfortunately, like many valid features in the comput- er world, they can also be misused in invalid and malicious ways. - Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.. - Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use.. - Keith teaches a variety of courses in the Global Knowledge Security curriculum.
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt