Subject: AV weekness alert Date: Thu, 07 Sep 2000 00:28:02 GMT From: "dolemite dolemite779" To: masterrat666@yahoo.com, rats.nest@usa.net See also: http://www.securitywatch.com/new/bugs/extra-article/sans090600.html You can get AV software to attack the PC it is trying to protect: "There is also a more insidious method of leveraging the inadequacies of modern day virus scanners in order to cause harm to a system. Let's assume a malevolent attacker writes a new virus program capable of performing some destructive task. Rather than immediately releasing it, they wrap it in a worm or some other delivery code. Initially, the worm simply writes the virus code to the NTFS file system as an alternate data stream of critical files (say cmd.exe, Poledit.exe, Regedt32.exe, or even worse). After a few weeks, the attacker releases the virus code into the wild as a regular virus that gets written to the named stream portion of the file system. Virus vendors respond by generating a signature file for the code and users in turn download this signature file and begin using it. The first time one of the files with an infected data stream is executed, the memory resident virus scanner will detect the malicious code pattern when it is loaded into memory along with the named stream file. Unfortunately, since the scanner does not understand alternate data streams, the scanner assumes the code is actually part of the named data file. What happens next depends on how the user has their scanner configured. If the 'delete infected files' option is selected, the critical system files will be purged from the system. If 'move infected files' is selected, the critical system files would be moved from their default location and the system may be left in an inoperable state. If 'prompt for user intervention' is selected, the end user must be savvy enough to halt execution and attempt a manual cleaning (assuming they know for a fact that the virus code is located in an alternate data stream). So even though virus code located in an alternate data stream would be harmless without some form of executor, the virus scanner can be turned against the system it is supposed to be protecting, potentially leaving the system in an unusable state. Note that this is a virus scanner problem, not a Microsoft problem as alternate data streams have been very well documented for quite some time."