COMMAND

    Alternate Data Streams (ADS)

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Alternate  Data  Streams  (ADS),  and  their potential risks, were
    first discussed on NTBugtraq back in March of 1997.  The NTBugtraq
    archives contain several useful and informative discussions  about
    them, see http://ntbugtraq.ntadvice.com/archives

    This advisory is  here because Kaspersky  Labs, an AV  Vendor, has
    decided  to  put  out  a  dire  warning  about  ADS based on their
    alleged discovery of a virus which  uses ADS.  They say it  hasn't
    been  seen  in  the  wild,  nor  have  they had any reports of any
    infections, yet they've done  an extensive press release  about it
    claiming  that  it  "represents  a  new  generation  of  malicious
    programs for Windows 2000."

    "By default, anti-virus programs check only the main data  stream.
    There will be  no problems protecting  users from this  particular
    virus," Eugene Kaspersky continues. "However, the viruses can move
    to additional data streams. In this case, many anti-virus products
    will become obsolete, and their vendors will be forced to urgently
    redesign their anti-virus engines."

    If Crucial Security's announcement isn't an example of how easy it
    can be to  detect ADS, then  JD Glaser's command  line ADS finder,
    SFIND (Contained in the Forensic Toolkit) is another:

        http://www.ntobjectives.com/forensic.htm

    NT Tripwire also monitors ADS.

SOLUTION

    Remember, for a program to  modify a stream of a  file (executable
    or otherwise), it needs to be able to write to it, so  permissions
    are your friend.