News
Coreflood
Problems Highlight Unaddressed NTFS ADS Threat
by Stephen Swoyer
12/3/03 — Threatened by
legislation at both the state and the federal levels, spammers
are increasingly turning to spam viruses to get their messages
across.
First there was SoBig, a conventional email-borne virus
that’s been responsible for propagating a benumbing quantity
of spam. Now a new, far more insidious spam virus has appeared
which exploits a little-known feature of Microsoft’s Windows
NT File System (NTFS), called alternate data streams
(ADS).
Security experts say that the new virus could presage a
raft of similar attacks, and -- as if that’s not bad enough --
an administrator who identified the virus early says that it
and other ADS exploits like it aren’t detected by many of
today’s most common virus- and Trojan-scanning tools.
If it weren’t for his Ironmail spam-detection and filtering
appliance, Bryan Lucas, an administrator with Texas Christian
University, concedes that he might never even have known there
was a problem. “Back in October, we were logging message
traffic [in excess] of 100,000, 200,000, 300,000 messages a
day,” he says. “Our normal volume is 25,000 or so messages a
day.”
Not surprisingly, when Lucas analyzed the logs, he
determined that the traffic had originated from a student
computer. Over time, he also discovered that at least four
additional student PCs had been infected. But when one
obliging student brought in his laptop so that Lucas could
take a look at it, he was unable to detect the offending virus
-- although he did manage to isolate a suspicious-looking DLL
file (vqmnxl.dll) which was mapped to a key in the registry.
“Whenever I deleted [the registry key], it would just come
back,” he says.
Lucas scanned the PC for this DLL file, but found nothing.
It occurred to him, however, that the file could be hidden in
an NTFS ADS, and so he downloaded a freeware tool called LADS
and used it to scan the c:\windows\system32 directory, which
was identified as the source of the file in the registry key.
Bingo -- he found vqmnxl.dll in an ADS attached to the sytem32
folder.
According to Russ Cooper, editor of the NTBugtraq list
serve and surgeon general of security consultancy TruSecure
Corp., ADS can be used to store supplemental information --
such as security descriptors -- in addition to a primary data
stream. “Microsoft stores additional information such as
security information in alternate data streams, and every file
in an NTFS system uses several alternate data streams to
identify information about the file. Since the user doesn’t
need to see anything other than the DOS file systems that they
are used to, there’s no need to display that information,” he
says.
But more than just security information can be stored in an
ADS. Binary executable data can also be written to an ADS, and
-- what’s more -- it’s possible to hide a sizeable amount of
binary executable data by appending it as an ADS to a much
smaller file or folder. A malicious attacker could, for
example, create a 1 KB file called “readme.txt” and hide a
binary executable of several megabytes in an ADS attached to
it.
In Lucas’ case, spyware detection tools such as AdAware and
Spybot didn’t detect the offending DLL. Nor, he says, did
version 8.0 of Symantec Corp.’s Norton Antivirus Corporate
Edition, which TCU uses internally to protect its servers.
Help came in the form of a freely-downloadable scanning tool
released by Sophos Inc. to combat the Coreflood virus, which
first appeared a year ago and has been spawning variants in
recent months. Security vendor aliases for the trojan include
Corefloo, TrojanDropper and Backdoor.Coreflood. “I went and
pulled the Sophos tool and it found it just fine,” he
explains, adding: “It’s not like I extracted it and put it in
the file system and then it found it -- not only did it find
it, it also cleaned it. I had no way of cleaning it because
it’s in the System32 folder.”
Chris Belthoff, a senior security analyst with Sophos, says
that as far as he knows, the first virus designed to target
ADS -- W2K/Stream -- appeared more than three years ago, in
September of 2000. Since then, he says, Sophos has included
ADS scanning support in its products. “[Virus writers] are
trying ever more subversive approaches to getting viruses to
infect systems, so we figured this could be a problem,” he
says.
Just how common is ADS scanning in today’s anti-virus,
spyware and Trojan removal software? Larry Bridwell, content
security program manager for ICSA Labs, TruSecure’s product
testing and certification arm, says that he can’t think of any
products that specifically scan NTFS alternate data streams
off the top of his head. “I would have to look into that,” he
acknowledges. “I haven’t seen anything on any of my lists that
can verify that [viruses are exploiting ADS], or that there is
anything out there that is specifically written for that.”
In spite of his recent troubles, Lucas has been generally
happy with the performance of his Norton Antivirus Corporate
product, and acknowledges that if Symantec doesn’t deliver ADS
scanning support, he can deal with the occasional spam virus
that exploits ADS -- provided that the situation doesn’t get
any worse.
“[Norton Antivirus] runs great, it’s been outstanding, even
with all of the viruses [this year] and through Blaster. But
it’s still frustrating to me that their product doesn’t detect
it,” he says, noting that he has posted several times to a
Symantec forum about the problem but isn’t convinced the
company believes it’s an issue. Lucas thinks it’s just the tip
of the iceberg, however: “This virus causes me grief, and I
can deal with it, but what about the next Blaster or what have
you that’s written to use ADS?”
At least one other IT manager, a Windows administrator with
the University of Minnesota, has also detected a similar
virus. This administrator did not respond to requests for
comment.
Symantec confirms that its shrink-wrapped products don’t
currently scan NTFS ADS for viruses, but company officials
argue that the real-time virus protection provided by Norton
AntiVirus Corporate Edition and its consumer-oriented variants
should be able to detect a virus signature (in this case,
Coreflood) and nab it before it’s written to disk as an ADS.
“Usually the real-time protection will detect it when they’re
trying to put the Trojan on [the system] in the first place
--when it’s still in memory and waiting to be written to the
disk,” says Sharon Ruckman, senior director of Symantec
Security Response.
In this case, however, at least one of the infected
computers was running an anti-virus tool -- McAfee from
Network Associates -- although Lucas admits that he doesn’t
know if the product’s real-time scanning capabilities were
enabled, much less if its virus signatures were up to date, at
the time infection occurred. “She had McAfee on her machine,
however there's no way I could confirm it was actually running
at the time of infection,” he says.
Ruckman concedes that real-time protection doesn’t address
the whole of the issue and says that Symantec is considering
ADS-scanning capabilities for future versions. “We’re going to
be looking at that, because we realize that part of the
problem is [that] if somebody is not running anti-virus [with
real-time protection] in the first place, we want to make sure
that we can detect [an ADS virus] after it’s been installed,”
she says, noting that in at least one case, Symantec provided
ADS scanning capability via a free tool that could detect and
remove the W2K/Stream virus.
The upshot, says NTBugtraq’s Cooper, is that attacks of
this kind probably won’t prove to be especially virulent.
“It’s not that it won’t get exploited, or that it’s not a
problem, it’s that it’s easy to detect and remove it once you
know there’s a problem,” he says. This type of exploit creates
a registry key -- complete with a path to the ADS executable
-- so that it can be invoked at runtime. “Nothing’s going into
alternate data streams first, it’s going into memory first,
and if your anti-virus is running and you’re doing real-time
monitoring, then you should detect it whether it’s using ADS
or not."
TCU’s Lucas says that his organization may purchase
anti-virus site license support for as many as 10,000 of its
student users. “Since Blaster and some of these new viruses,
we’ve realized that you’re going to have to treat students
just like you would any other user, so our approach is that
we’re going to buy Norton at least for the first layer,” he
says. However, Lucas says he’d prefer to use a tool that’s
able to remove all extant viruses from a user’s system -- even
those which are hidden in NTFS alternate data streams.
He remains skeptical, however, of claims that real-time
anti-virus monitoring is enough. “We had machines running
[Norton AntiVirus] in [real-time protection] mode with the
latest definitions, yet we still got hit with Welchia, MiMail
etc., he argues. “According to their logic, no one should have
ever gotten infected with those viruses if they were running
[Norton AntiVirus] with [real-time protection], yet they did.
This is because there is and always [will] be a lag time
[between when] definitions [are downloaded] and virus
outbreaks. We have to be able to count on our anti-virus
solution to protect us from existing viruses but also to clean
up after each new virus infects us.”
You can contact Stephen about "Coreflood
Problems Highlight Unaddressed NTFS ADS Threat" at mailto:swoyerse@yahoo.com?Subject=Coreflood
Problems Highlight Unaddressed NTFS ADS Threat.
|