News

Coreflood Problems Highlight Unaddressed NTFS ADS Threat

• By Stephen Swoyer
• 12/03/2003

First there was SoBig, a conventional email-borne virus that’s been responsible for propagating a benumbing quantity of spam. Now a new, far more insidious spam virus has appeared which exploits a little-known feature of Microsoft’s Windows NT File System (NTFS), called alternate data streams (ADS).

Security experts say that the new virus could presage a raft of similar attacks, and -- as if that’s not bad enough -- an administrator who identified the virus early says that it and other ADS exploits like it aren’t detected by many of today’s most common virus- and Trojan-scanning tools.

If it weren’t for his Ironmail spam-detection and filtering appliance, Bryan Lucas, an administrator with Texas Christian University, concedes that he might never even have known there was a problem. “Back in October, we were logging message traffic [in excess] of 100,000, 200,000, 300,000 messages a day,” he says. “Our normal volume is 25,000 or so messages a day.”

Not surprisingly, when Lucas analyzed the logs, he determined that the traffic had originated from a student computer. Over time, he also discovered that at least four additional student PCs had been infected. But when one obliging student brought in his laptop so that Lucas could take a look at it, he was unable to detect the offending virus -- although he did manage to isolate a suspicious-looking DLL file (vqmnxl.dll) which was mapped to a key in the registry. “Whenever I deleted [the registry key], it would just come back,” he says.

Lucas scanned the PC for this DLL file, but found nothing. It occurred to him, however, that the file could be hidden in an NTFS ADS, and so he downloaded a freeware tool called LADS and used it to scan the c:\windows\system32 directory, which was identified as the source of the file in the registry key. Bingo -- he found vqmnxl.dll in an ADS attached to the sytem32 folder.

According to Russ Cooper, editor of the NTBugtraq list serve and surgeon general of security consultancy TruSecure Corp., ADS can be used to store supplemental information -- such as security descriptors -- in addition to a primary data stream. “Microsoft stores additional information such as security information in alternate data streams, and every file in an NTFS system uses several alternate data streams to identify information about the file. Since the user doesn’t need to see anything other than the DOS file systems that they are used to, there’s no need to display that information,” he says.

But more than just security information can be stored in an ADS. Binary executable data can also be written to an ADS, and -- what’s more -- it’s possible to hide a sizeable amount of binary executable data by appending it as an ADS to a much smaller file or folder. A malicious attacker could, for example, create a 1 KB file called “readme.txt” and hide a binary executable of several megabytes in an ADS attached to it.

In Lucas’ case, spyware detection tools such as AdAware and Spybot didn’t detect the offending DLL. Nor, he says, did version 8.0 of Symantec Corp.’s Norton Antivirus Corporate Edition, which TCU uses internally to protect its servers. Help came in the form of a freely-downloadable scanning tool released by Sophos Inc. to combat the Coreflood virus, which first appeared a year ago and has been spawning variants in recent months. Security vendor aliases for the trojan include Corefloo, TrojanDropper and Backdoor.Coreflood. “I went and pulled the Sophos tool and it found it just fine,” he explains, adding: “It’s not like I extracted it and put it in the file system and then it found it -- not only did it find it, it also cleaned it. I had no way of cleaning it because it’s in the System32 folder.”

Chris Belthoff, a senior security analyst with Sophos, says that as far as he knows, the first virus designed to target ADS -- W2K/Stream -- appeared more than three years ago, in September of 2000. Since then, he says, Sophos has included ADS scanning support in its products. “[Virus writers] are trying ever more subversive approaches to getting viruses to infect systems, so we figured this could be a problem,” he says.

Just how common is ADS scanning in today’s anti-virus, spyware and Trojan removal software? Larry Bridwell, content security program manager for ICSA Labs, TruSecure’s product testing and certification arm, says that he can’t think of any products that specifically scan NTFS alternate data streams off the top of his head. “I would have to look into that,” he acknowledges. “I haven’t seen anything on any of my lists that can verify that [viruses are exploiting ADS], or that there is anything out there that is specifically written for that.”

In spite of his recent troubles, Lucas has been generally happy with the performance of his Norton Antivirus Corporate product, and acknowledges that if Symantec doesn’t deliver ADS scanning support, he can deal with the occasional spam virus that exploits ADS -- provided that the situation doesn’t get any worse.

“[Norton Antivirus] runs great, it’s been outstanding, even with all of the viruses [this year] and through Blaster. But it’s still frustrating to me that their product doesn’t detect it,” he says, noting that he has posted several times to a Symantec forum about the problem but isn’t convinced the company believes it’s an issue. Lucas thinks it’s just the tip of the iceberg, however: “This virus causes me grief, and I can deal with it, but what about the next Blaster or what have you that’s written to use ADS?”

At least one other IT manager, a Windows administrator with the University of Minnesota, has also detected a similar virus. This administrator did not respond to requests for comment.

Symantec confirms that its shrink-wrapped products don’t currently scan NTFS ADS for viruses, but company officials argue that the real-time virus protection provided by Norton AntiVirus Corporate Edition and its consumer-oriented variants should be able to detect a virus signature (in this case, Coreflood) and nab it before it’s written to disk as an ADS. “Usually the real-time protection will detect it when they’re trying to put the Trojan on [the system] in the first place --when it’s still in memory and waiting to be written to the disk,” says Sharon Ruckman, senior director of Symantec Security Response.

In this case, however, at least one of the infected computers was running an anti-virus tool -- McAfee from Network Associates -- although Lucas admits that he doesn’t know if the product’s real-time scanning capabilities were enabled, much less if its virus signatures were up to date, at the time infection occurred. “She had McAfee on her machine, however there's no way I could confirm it was actually running at the time of infection,” he says.

Ruckman concedes that real-time protection doesn’t address the whole of the issue and says that Symantec is considering ADS-scanning capabilities for future versions. “We’re going to be looking at that, because we realize that part of the problem is [that] if somebody is not running anti-virus [with real-time protection] in the first place, we want to make sure that we can detect [an ADS virus] after it’s been installed,” she says, noting that in at least one case, Symantec provided ADS scanning capability via a free tool that could detect and remove the W2K/Stream virus.

The upshot, says NTBugtraq’s Cooper, is that attacks of this kind probably won’t prove to be especially virulent. “It’s not that it won’t get exploited, or that it’s not a problem, it’s that it’s easy to detect and remove it once you know there’s a problem,” he says. This type of exploit creates a registry key -- complete with a path to the ADS executable -- so that it can be invoked at runtime. “Nothing’s going into alternate data streams first, it’s going into memory first, and if your anti-virus is running and you’re doing real-time monitoring, then you should detect it whether it’s using ADS or not."

TCU’s Lucas says that his organization may purchase anti-virus site license support for as many as 10,000 of its student users. “Since Blaster and some of these new viruses, we’ve realized that you’re going to have to treat students just like you would any other user, so our approach is that we’re going to buy Norton at least for the first layer,” he says. However, Lucas says he’d prefer to use a tool that’s able to remove all extant viruses from a user’s system -- even those which are hidden in NTFS alternate data streams.

He remains skeptical, however, of claims that real-time anti-virus monitoring is enough. “We had machines running [Norton AntiVirus] in [real-time protection] mode with the latest definitions, yet we still got hit with Welchia, MiMail etc., he argues. “According to their logic, no one should have ever gotten infected with those viruses if they were running [Norton AntiVirus] with [real-time protection], yet they did. This is because there is and always [will] be a lag time [between when] definitions [are downloaded] and virus outbreaks. We have to be able to count on our anti-virus solution to protect us from existing viruses but also to clean up after each new virus infects us.”