AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 24th January, 2006, 11:01 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

More rootkits - Kaspersky Antivirus!

Hot on the heels of Symantec comes Kaspersky Labs antivirus. It appears that Kaspersky use the same type of rootkit functionality as Symantec to hide data from the OS and other applications on the system. Kapersky's Antivirus software actively hides alternate data streams (an NTFS feature) using the same rootkit style that Sony BMG and Norton SystemWorks used. However unlike Sony BMG, both Symantec and Kapersky take a more responsible approach. The act of hiding data and files from all applications and the OS on a system remains questionable however.
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 24th January, 2006, 01:30 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Is this an approach developed in the long ago and just now coming back to bite them?

Seems odd that we would see this from AV creators. A bit hard to gain the worlds trust while creating a heaven for "the enemy".
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 24th January, 2006, 03:51 PM
hoinar's Avatar
Member
 
Join Date: February 2005
Location: Iasi, Romania
Posts: 945
Send a message via Skype™ to hoinar

The using of ntfs alternate data streams in kasperski is not at all hidden or secret..because I remember that I used it recently for a few days..as a demo, and I read about their techniques..so I just think that someone does not read enough about a product before they use it..and just want to spread some rumours about their tech skills.
__________________
I'd cry...but I can't stop laughing.
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 24th January, 2006, 03:55 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

I put information in alternate data streams all the time; it's one of the nicer features of the NT API. In fact, Windows itself makes heavy use of streams; where do you think your folder view preferences are stored? A lot of the meta-data in Office documents is stored in streams as well.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 24th January, 2006, 06:02 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

The issue is not the use of NTFS alternate data streams, but the fact that there is a rootkit in place to prevent other applications from being able to access certain of those alternate data streams. Basically, there's modifications to the kernel to prevent certain types of NTFS ADS from being retreived unless the process is Kaspersky.
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 24th January, 2006, 09:43 PM
hoinar's Avatar
Member
 
Join Date: February 2005
Location: Iasi, Romania
Posts: 945
Send a message via Skype™ to hoinar

I don't know what to say...but those streams are hidden only when the Kasperski antivirus is enabled, if the antivirus is disabled then those streams are accessible to every process might want to use them.
I really don't know what to say...but if we go very far this way, then we can also find ourselves in a place where declaring a private member in a class will look to a journalist as an evil rootkit technique.
I know it's too far...but if we exaggerate...we can go there.
__________________
I'd cry...but I can't stop laughing.
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 25th January, 2006, 12:55 AM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Does uninstalling their AV leave the rootkit?
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 25th January, 2006, 10:59 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Quote:
Originally Posted by hoinar
I don't know what to say...but those streams are hidden only when the Kasperski antivirus is enabled, if the antivirus is disabled then those streams are accessible to every process might want to use them.
Yes. Kasperski hooks into the OS, and deliberately filters out content on the file system so other processes (and the OS itself). That is what rootkits do - hook the OS so certain files/processes cannot be found. For what reason does an AntiVirus product need to hide data from the operating system?

On a machine that has been 0wn3d, the rootkit components sit there and hide the malware files/processes in order to prevent their detection. If someone figures out a method to subvert Kasperski in order to have it hide other files from the OS, then there is a far more serious situation. That is what happened with the Sony DRM.
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 25th January, 2006, 05:00 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

I would guess the thinking was that there are a number of viri/malware packages that kill AV processes and/or delete components. If they hide the processes/components from the file system, then the viri/malware can't kill/delete them.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 25th January, 2006, 05:48 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

That would be good if the rootkit was hiding processes, rather than hiding the alternate data streams. It appears to be there to try and protect the checksums that it stores in the alternate data streams, so a virus doesn't come along and modify that checksum. This way, virus scanning is sped up, as long as no virus knows how to modify the checksum.
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
The best antivirus andreicosminus OS, Software, Firmware, and BIOS 10 10th April, 2006 07:59 PM
if x64 need antivirus Skiracing108 64 Bit computing 6 9th January, 2006 01:18 PM
Sony Rootkits Your Computer Gizmo OS, Software, Firmware, and BIOS 62 15th December, 2005 04:48 PM
AntiVirus under x64? lympero 64 Bit computing 1 10th October, 2004 05:38 PM
Which antivirus? stigweed OS, Software, Firmware, and BIOS 8 7th December, 2003 01:31 AM


All times are GMT +1. The time now is 12:09 PM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0