Daniel Bachfeld
Dangers from the Twilight Zone
Alternate Data Streams can still be hiding places for malware
Microsoft's NTFS file system supports Alternate Data Streams to store additional information about a file. Malware can lurk in such streams. Nonetheless, a year and a half after the first ADS test of 18 virus scanners still not all of them reliably detect malware in ADS.
In October of 2004, heise Security Germany conducted a test to see which virus scanners detect contaminants in Alternate Data Streams (ADS) [1]. Since Windows NT 3.51, the NT file system (NTFS) developed by Microsoft has supported ADS. The operating system does so to store additional information about a file, such as the ZoneIDs introduced with Service Pack 2 that mark files as coming from the Internet. Windows applications have also, for example, long used such streams to save thumbnails for previews.
And yet, such streams cannot be displayed either with the DOS command dir or with Windows Explorer. All you can see is the file; the stream is basically invisible. Even if a user or an application writes several megabytes into the stream, the size of the file remains unchanged. An ADS can even be connected to a directory. In other words, streams are an excellent way of hiding data, which viruses and trojan horses already exploit.
In the 2004 test of 18 products five failed both in the on-demand scan and in on-access recognition. Only five of the virus monitors provided reliable protection from malicous code written into the stream and detected it both on demand and on access. A year and a half later, more and more contaminants are hiding in streams, such as the current worm Mailbot. In particular, Windows rootkits are becoming increasingly common, which makes it more and more important to find and eliminate dangerous data in ADS. Time for us to update our overview.
Second stage
We did this test in cooperation with AV-Test and checked recent versions of the 18 scanners tested last time for their abilitity to detect malware in ADS. While we found that more products now detect viruses in streams, there is still one complete failure: F-Prot still does not look at streams at all. Nine products detect viruses in ADS both on demand and on access, one of which is Symantec, whose scanner failed completely in the ADS test in 2004. Trend Micro has also improved. Though its scanner was able to scan ADS on demand in earlier versions in principle, this option had to be activated first via a registry key. In the current version 2006, the scanner at least searches streams for malware on access without being prompted.
BitDefender also searches for viruses in ADS on access, but the scanner does not find anything on demand. The virus utilities of Ikarus do it the other way round: The product detects malware in ADS on demand, but not on access. We were a bit surprised this time by Norman Virus Control, which offered complete protection in 2004 but now only monitors your computer on access. The vendor had not responded to our query on this matter by the time we went online. Also see the table at the end of the article for the complete results.
Conclusions
Most vendors have done their homework and now provide protection against viruses in ADS, though sometimes only on access. At present, Antivir 7, AntiVirenKit 2006, Anti-Virus 2006, Dr.Web, EZ Antivirus, Kaspersky AV Personal, McAfee Viruscan, NOD32 and Norton Antivirus 2006 have mastered both disciplines. The virus utilities of Ikarus and F-Prot cannot, however, be recommended because neither provide protection from ADS malware in real-time. According to the vendor, the upcoming version 4.0 of F-Prot will have remedied this drawback. (dab)
[1] Gefahr aus der Schattenwelt, original review article on heise Security, Germany
[2] How To Use NTFS Alternate Data Streams
[3] Indexing Service Adds Data Streams to Image Files
[4] LADS - List Alternate Data Streams
[6] Virus W2K.stream
[8] FAQ: Alternate Data Streams in NTFS
[9] ADS Locator
| Product | Vendor | Version | On-Demand | On-Access |
|---|---|---|---|---|
| Avira Antivir | Avira | 7 |  |
|
| AntiVirenKit | GDATA | 2006 | |
|
| Anti-Virus 2006 | F-Secure | 6.10 | |
|
| AVG Antivirus (deutsch) | Grisoft | Pro Edition 7.1 |  |
|
| BitDefender | Softwin | 9 | |
|
| Command AV | Command Software | 4.93.7 | |
|
| Dr.Web | Doctor Web | 4.33 | |
|
| EZ Antivirus | Computer Associates | 7 | |
|
| F-Prot (Windows) | Frisk | 3.16f | |
|
| Kaspersky AV Personal | Kaspersky | 5.5 | | |
| McAfee Virusscan | McAfee | 2006 | |
|
| Nod32 | Eset | 2.5 | | |
| Norman Virus Control | Norman | 5.81 | |
|
| Norton Antivirus | Symantec | 2006 | |
|
| Panda Platinum Internet Security | Panda | 2006 | |
|
| PC-cillin Internet Security | Trend Micro | 14 | ||
| Sophos Anti-Virus (Sweep) | Sophos | 3.05 | |
|
| Virus Utilities | Ikarus Software | 5.16 | |
|
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
