When we rebooted the computer, Win2K executed test.vbs and calc.exe without introducing any modifications to the notepad.exe main stream.
These experiments show that you can use a variety of methods to open .vbs and .exe files in alternate streams. However, attempts to start a .cmd file failed, confirming that Win2K doesn't let you run files of this type directly from alternate data streams. Regardless, you can clearly see that malicious users can add a program to an alternate data stream without modifying the default stream, giving antivirus scanners no starter to detect.
What About W2K.Stream?
So, is the W2K.Stream virus worth the attention that the global technology media paid to it in September 2000? As many antivirus companies' press releases stated, the virus itself poses no real threat. W2K .Stream carries no serious payload; it simply self-replicates. In addition, although W2K.Stream can potentially spread, the virus wasn't detected "in the wild." However, W2K.Stream is important because it proved that alternate streams can hide malicious code.
W2K.Stream replaces the default stream's original content with the alternate stream's virus code and moves the default stream's original content to the alternate stream. (After infection, the file's original content is available in an alternate stream named STR.) When a user executes an infected file, the virus code in the default stream runs first, then passes control to the original program in the alternate stream. Figure 5 shows a representation of this process. Because the virus code resides in the default stream, most antivirus scanners can detect it; however, future viruses that take advantage of alternate streams might try the opposite approach—placing the virus securely inside an alternate stream—and easily evade current antivirus scanners.
Ratter, one of W2K.Stream's authors, has published an article about developing viruses for NTFS alternate data streams. (The article, "Viruses in NTFS," is published in Czech and is available at http://viry.bonusweb.cz/kniha_o_virech/ntfs.html.) Most virus-related Web sites have reproduced the article, sparking a lively discussion among virus writers. The consensus is that alternate data streams represent a primary breeding ground for future computer viruses.
Feature or Bug?
Are alternate data streams a useful feature or a security breach that we need to close sooner rather than later? Despite the vulnerabilities inherent in their structure, multiple streams are an essential NTFS component. Alternate streams give files better flexibility and scalability, so working with files and disks becomes easier and more comfortable. The feature's advantages are more ap-parent when you compare NTFS with the FAT file system.
If we don't want to give up the advantages of alternate streams, we must insist that antivirus tools check these streams. Since 1998, very few antivirus companies have added alternate stream support to their products. Support for alternate data streams must become an industry standard—and the sooner the better.
Register
Richard H. Lambert November 05, 2003