To register for an Internet.com membership to receive newsletters and white papers, use the Register button ABOVE.
To participate in the message forums BELOW, click here


EIT Planet's Security News
 Symantec Warns of New Security Breach
 Security Vulnerabilities Prove Increasingly Costly

Security Products
 Disk Encryption Software Cryptic Disk (Disk Encryption Software)
 Recover Excel VBA Password (VBA Password Remover)
 VBA Excel Password Recovery (VBA Password Remover)
 VBA Project Password Recovery (VBA Password Remover)
 Outlook Password Unmask (Outlook Password Unmask)
 TextEgg Simple Encryption Software (Schimple Software Ltd)


Go Back   Antionline Forums - Maximum Security for a Connected World > AntiOnline Site Related > The Security Tutorials Forum
Reload this Page 2 days to learning all about NTFS ADS viruses.
Register FAQ Calendar Search Today's Posts Mark Forums Read

The Security Tutorials Forum Original tutorials written about a variety of security-related subjects.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old December 13th, 2003, 10:28 PM   #1
ali1
Banned
 
Join Date: Dec 2003
Posts: 138
ali1 is infamous around these partsali1 is infamous around these parts
2 days to learning all about NTFS ADS viruses.
Hi everyone.Well I've created much fuss around in this forum through my last article on viruses that cannot be deteted by any AntiVirus software.I didn't know how I can get back the good image I've lost,so I wrote this 2 day report on NTFS ADS viruses.I've researched and researched this topic a lot of times before writing this report.I hope it somehow pays back for my last post.Since this is a 2 day report,I thought I shouldn't post the reports for both of the days here because it wouldn't make sense.Therefore,if you like this report,you can get the Day 2 for free from my website by the link given at the end of this article.
I hope it proves useful.


2 days to learning all about NTFS ADS viruses.

Day 1:

What is NTFS ADS?

Well,ADS stands for Alternate Data Streams.It is a feature of the NTFS file system.It allows data to be attached to files but this data remains completely invisible to some file reading utilities.This feature can be used by viruses to exploit systems.Wanna see how it works?Then may be we have to get started with some practical stuff.

Getting started.

What you'll need.....

Well,what we are going to do now isn't going to work unless you have got NTFS file system installed on the drive you'll work at.(I got almost half crazy trying to get it to work on one of my drives that had FAT32 and couldn't realize what was wrong.Then I checked the file system and was like OHH Stupid Me!Anyways...)However if you do not have FAT32 installed on any of your drives and you can't get one that has it installed,then just read the rest of this article....you'll get an idea of what I'm talking about.However if you do have a drive with NTFS installed,then great!Lets do it!

First of all,make a seperate folder in the drive that has NTFS installed.Name that folder "test".Now,you must be having a little knowledge of how to use Ms.DOS.If no,then visit this page.Learn Ms.DOS through the free tutorials provided and then return here.

If you already have a little know-how of Ms.DOS,then we can get started right away.

Learning how to create ADSs.

An ADS is really simple to create if you know have a little knowlegde of Ms.DOS.Just lauch Ms.DOS and point to the folder "test" on whatever drive you have the folder on.Lets say you have test installed on Drive C:\ so you'll have to point to the folder C:\Test.
Now,type the following line:

echo"this text is visible">1.txt

What's happening here,is that the echo command is creating the file "1.txt" and putting the words"this text is visible" into that file.

Now,when you open the folder C:\Test through windows explorer you should see the file 1.txt and when you double click that file,you should be able to read the words"this text is visible" in that file.Now,lets move on creating our first ADS in that file.

At the command prompt,type the following line:
echo "and this this text is invisible">1.txt:ads1.txt

This command creates an ADS,or a data stream in the file 1.txt.This data stream cannot be viewed by windows explorer or Ms.DOS.If you open the folder C:\test through Windows Explorer then you will see only one file,named 1.txt.You wouldn't see any other file.And,even if you try the DIR command through Ms.DOS,you will still see only one file named 1.txt in that folder.Also,by creating 1.txt and adding an ADS to it,we have used some 54 bytes of memory.However,we see that the DIR command shows only 24 bytes occupied by the folder.You may even check the size of the folder through Windows Explorer(you can do so by opening drive C,right clicking on the folder Test and choosing properties.)Still you would see only 24 bytes occupied by the folder.The only way you can view the ADS you just added to the file,is by typing the following command at the command prompt:

notepad 1.txt:ads1.txt

This will open up a notepad window and will show the file we just created.This is the only way you can read the ADSs attatched to a file.However,now there is a free tool available which scans the entire drive or a given directory for AdSs. It lists the names and size of all alternate data streams it finds.It is called Lads.You can download Lads now from http://www.heysoft.de.If you ever come across a file that you doubt has some ADSs attached to it and you want to read what's in the ADSs then LADS is the program for you. You can use LADS to find the names of all of the ADSs attached to that file/folder.Then you can use the notepad command to view the contents of the ADSs.This is very useful if you are not sure if a particular folder or file has ADSs attached to it or not and if you want to view the contents of the ADSs.

Well,that's all for now.Tomorrow I will show you how NTFS ADS can be used to create viruses,and also how you can remove ADSs from a file without losing the original data it contains.As for today,you may want to practice creating ADSs and experiment with them.


Get the rest of this report from:
http://www.virustimes.cjb.net/2days/membersonly.html
ali1 is offline   Reply With Quote
 

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 10:56 PM.

Contact Us - AntiOnline.com - Archive - Top











Acceptable Use Policy

Internet.com
The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.