GSF ANTI-TROJAN GUIDE ®, Get them before they get you ! Options

[Moore]

##################################################################
===================================================================
<><><><TROJAN HORSES><><><>
===================================================================
##################################################################

GSF ANTI-TROJAN GUIDE ® 2006

What is a Trojan ?

Trojan Horse programs are able to hide themselves from being detected
after installing themselves into your computer generally without your knowledge sometimes using similar methods to spyware, but somtimes harder to fully detect.

Trojan horses are among the most dangerous threats to your computer files
and your confidential information such as your passwords,
credit card data and personal security.

Once a Trojan program is installed on your computer its allows full access to hackers.
The same Trojan can be used secretly by many hackers.
It’s not just one Trojan to one hacker.

It’s one Trojan to many hackers.

A Trojan on your computer can let a hacker view, copy or erase any folder
and any file on your computer just as though he or she were sitting
at your computer using its keyboard and mouse.
Any file on your computer can also be sent to any e-mail address
or posted on the Internet.

There are many ways a system can be infected with a Trojan and because
a Trojan is not the same as a virus (a self-replicating program segment)
it is not always detected by anti-virus software.

Trojans are often installed by a virus or worm that is programmed to open a backdoor into your computer,
sometimes to join in DDoS atacks against other computers, other trojans can be added to popular programs and released
out to newsgroups and p2p networks especially in the hopes of infecting new hosts.

Trojan Horse explanation:
- http://www.securelist.com/en/glossary?lett...#gloss153589812

complete windows Trojan paper : 24/10/02
- http://www.infosecwriters.com/texts.php?op...splay&id=58
-

- Malware: Fighting Malicious Code -
sample Chapters : [ Great Information - Essential reading ]
http://www.informit.com/articles/article.a...81&seqNum=1
http://www.informit.com/articles/article.a...81&seqNum=2
http://www.informit.com/articles/article.a...81&seqNum=3

-
Trojan Horse Attacks:
http://www.irchelp.org/irchelp/security/trojan.html


A great many Bots scan for victims of other Trojans such as SubSeven.
This has two distinct advantages for the hacker.
Firstly they can scan a lot of class C blocks without scanning
themselves or wasting their own bandwidth to do so and secondly
they can get their Bot onto already Trojan infected machines on
the premise that if the owner did not know they had one Trojan
that is detectable by nearly all Anti Trojan/Virus applications
then they certainly won't know they have another that is undetectable
by signature by all of these applications.

This to a large degree is why we use Generics as a second layer of
defense against unknown Trojans.
The SubSeven scan yields victims on default ports and also exploits
the old SubSeven master password which works on all
SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus.
Once a victim has been found and logged into using the command
to update from the web is sent. Once received SubSeven will download
the new file and run it and then remove itself.

SubSeven trojan was made to improve upon the design of NetBus.

It has 'improved' NetBus so much now that this is a Very deadly trojan
that can be very damaging and quite hard to remove.

The best way to tell what version of SubSeven you are infected with
is by running an updated AntiVirus program and a Anti-Trojan Scanner.
Next best is to check this Which Version page.

- http://www.norman.com/security_center/viru...rchive/55682/de


- A Remote Administration Tool, or RAT, is a Trojan that when run,
provides an attacker with the capability of remotely controlling
a machine via a "client" in the attacker's machine,
and a "server" in the victim's machine.

The server in the victim "serves" incoming connections to the victim,
and runs invisibly with no user interface.
The client is a GUI front-end that the attacker uses to connect
to victim servers and "manage" those machines.
Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack.

What happens when a server is installed in a victim's machine depends on the
capabilities of the trojan, the interests of the attacker, and whether or not
control of the server is ever gained by another attacker -
- who might have entirely different interests.

Infections by remote administration Trojans on
Windows machines are becoming as frequent as viruses.


- REMOTE ACCESS TROJANS-

- A Backdoor is a program that opens secret access to systems, and is often used to bypass system security.
- A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications.

The Enemy Within: Firewalls and Backdoors :
- http://www.symantec.com/connect/articles/e...s-and-backdoors

DLL Trojans and other:
- http://home.arcor.de/scheinsicherheit/introduction.htm
- http://securityresponse.symantec.com/avcen...ojan.anits.html

--------------------------------------------------------------------------------------------------

Most known Trojan horses are programs, which "imitate" some other useful programs, new versions of popular utility software or software updates for them.
Very often, they are sent to BBS stations or Usenet groups.

In comparison with viruses, Trojan horses are not widely spread.
The reason for this is quite simple: they either destroy themselves together with the rest of the data on disks, or unmask their presence and are deleted by victimized users.

Virus "droppers" may also be considered Trojan horses.
They are files infected in such way that known anti-viruses do not determine virus presence in the file.

For example, a file is encrypted in some special way or packed by a rarely used archiver, preventing an anti-virus from "seeing" the infection.

Hoaxes are also worth mentioning.

These are programs that do not cause any direct harm to computers, but, rather,
display messages falsely stating that harm has already been done,
or will be done under some circumstances; or these hoaxes warn a user about some kind of non-existent danger.

Hoaxes are, for example, programs which "scare" a user with a message about disk formatting (although no formatting actually takes place); detect viruses in uninfected files; display strange virus-like messages (CMD640X disk driver from some commercial software packages); etc.

All of this depends on the author's sense of humor.
Apparently, the string "CHOLEEPA" in the second sector of Seagate hard disks is also a hoax.

Purposely false messages about new super viruses also fall into the category of hoaxes.
Such messages appear in newsgroups from time to time, and usually create panic among users.

http://www.viruslist.com/

-------------------------------------------------------------------------------------------------------------------------------

These sites below will help direct you to the best places to search for hidden trojans/spyware:

Auto Start checklist - best places to check:
http://www.cknow.com/cms/articles/how-do-i...plications.html

################################

:: BHO Lists / Start Up lists / Process Libraries ::

################################

- http://www.sysinfo.org/bholist.php
- http://www.windowsstartup.com/wso/search.php
- http://www.sysinfo.org/startuplist.php
- http://www.rockymountain.com/ref_startup.htm
- http://www.3feetunder.com/krick/startup/list.html
- http://www.neuber.com/taskmanager/process/index.html
- http://www.reger24.de/processes.php
- http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
- http://www.sysinfo.org/startupinfo.html
- http://www.processlibrary.com/
- http://www.liutilities.com/products/wintas...processlibrary/
- http://www.liutilities.com/products/wintas...library/system/
- http://www.liutilities.com/products/wintas...brary/security/


-Windows XP Home and Professional Tasks and Services:
- http://www.blkviper.com/WinXP/servicecfg.htm
- http://www.blkviper.com/index.html

Anti Trojan guides and links...

- http://www.spywarewarrior.com/uiuc/info10.htm

- http://radified.com/Articles/trojan.htm
- http://www.net-security.org/dl/articles/comp_trojans.txt


Trojan Removal guides:

http://forums.majorgeeks.com/showthread.php?t=35407

Sophos Guide to removing Trojans:

1. Removing Trojans in Windows 95/98/Me
2. Removing Trojans in Windows NT/2000/XP/2003
3. Removing Trojans on Macintosh computers
4. Removing Trojans in DOS
5. Removing Trojans in OS/2
6. Removing Trojans in NetWare
7. Removing Trojans in Unix
8. Removing Trojans in OpenVMS

http://www.sophos.com/support/disinfection/trojan.html


SubSeven Trojan Removal Guide By Merijn :
http://www.bluetack.co.uk/forums/index.php?showtopic=13340


---------------------------------------------------------------------------------------------------

If BO is running, it takes mere seconds for an intruder to access
all cached passwords and view most of your system's vital statistics.
He may have all he wants in moments and be gone.
You almost certainly wouldn't notice and there is absolutely nothing you could do.

Back Orifice Removal Guide:
http://www.pchell.com/internet/boserve.shtml

Detailed info on tracking and removing The Back Orifice "Backdoor" Program:
- http://www.nwinternet.com/~pchelp/bo/bo.html

A look into the Back Orifice Trojan:
- http://www.windowsecurity.com/articles/Tro...rse_Primer.html

----------------------------------------------------------------------------------------------------

Reverse Engineering Hostile Code:
- http://www.symantec.com/connect/de/article...ng-hostile-code

----------------------------------------------------------------------------------------------------

A good method of discovering trojan infections is by identifying which virtual ports (there are 65535) are open and in use on your computer.

If you use a antivirus and personal firewall then you have a better chance of detecting and then blocking an unknown trojan from making outbound connections.

There are many programs to monitor for open ports, I mainly rely on TCPView or Outpost firewall to view which ports are listening and operating. Port Explorer is also another excellent application for monitoring and logging the connections.

You can use the builtin windows netstat utility from a command prompt to view the open ports and connections by going to :

-> start -> run -> [ type ] cmd.exe [ win200/xp] or command.exe [ win98/ME] .. then in the command prompt window type - netstat -an

Only a firewall can be set up to block outbound unauthorised traffic from your computer and without one running a trojan can give full access to and from your computer to anyone that manges to locate it with an automated scan or to the person who originally released it.

Browser hijackers can often load up IRC trojans as part of the package to let the trojan owner know that he has a new victim to join their botnet..

example:

New Trojan beats firewalls [2003]:

A malevolent program capable of using a browser to transmit and receive data secretly across a firewall was demonstrated at the DefCon security conference in the US earlier this year.

Once connected through the browser, the hacker can plant applications to allow activities such as recording
key strokes on the host machine or can access and download files.

Security experts attending DefCon in Las Vegas said the demonstration of Setiri has confirmed their fears that the next step in hacking technology will bypass firewall detection

The port lists below have listed default trojan ports, which the trojan program is designed to listen and operate on, keep in mind that any trojan may be altered to operate on other ports as well, and that activity on a known trojan port may be a false positive and a genuine connection.

Firewalls cannot tell whether the traffic is malicious or harmless , only that it is operating on a known trojan port.

Be suspicious , but dont completely panic if you suddenly notice something that shouldnt be running or is connected to the internet without your authorization.

Trojans are not able to infect your computer any further like viruses or worms, but they can often be the result of a virus or worm infection planting a backdoor.


NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.

In their default configurations, the following trojans use:

Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426

Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001

http://www.cybercity-online.net/Trojan.html

--------------------------------------------------------------------------------------------------------

One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?"

Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program.

The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious.

Let's take a look at port enumeration in general, then review 11 Windows port enumerators.

Top Port Monitoring Tools :
http://www.windowsitpro.com/article/securi...numerators.aspx

-------------------------------------------------------------------------------------------

The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535

- http://www.iana.org/assignments/port-numbers

Use this PORT LOOKUP PAGE or download your own copy:
- http://lists.gpick.com/portlist/lookup.asp

For a complete listing of assigned ports and numbers ;
- http://www.networksorcery.com/enp/protocol.../ports00000.htm

Trojan ports list:
- http://www.glocksoft.com/trojan_port.htm


This excellent Port Reference website also provides their handy tool available for download as a Windows HTML Help (.chm) file.
DOWNLOAD your own copy now or use the ONLINE PAGE to find what services and trojans operate on each port.
immediately useful for doublechecking port connections from the results in your firewall..
Updated regularly


Block known trojan ports:
- http://www.doshelp.com/trojanports.htm

Ports descriptions and services:
- http://www.portsdb.org/bin/portsdb.cgi

Giant Port List:
- http://keir.net/portlist.html

------------------------------------------------------------------------------------------------------------------------

Analysis of the BioNet Trojan:
- http://www.misec.net/bionet312analysis.jsp

Computer trojan horses:
- http://www.infosecwriters.com/texts.php?op...splay&id=39

=======================================================================

:: PREVENTION IS BETTER THAN A CURE ::

-------------------------------------------------------------------------------------------------------------------------------

The same programs I use for protection against spyware also work well
against any trojans that attempt to execute , install themselves to auto run by modifying the registry or add themselves as system services etc..

I mainly rely on these for my protection :

- Outpost Pro/Blockpost - Firewall
- Processguard - Kernal mode protection and process termination protection
- SSM / System Safety Monitor - Dll injection protection and more
- RegrunGold - Heavy duty registry / file and full system protection and lots more
- Spywall - Internet explorer browser firewall
- Winpatrol - Lightweight Registry/system monitor
- TDS-3 - Trojan Defence Suite [ discontinued ]
- Wormguard- Worm and script protection
- Goback - Advanced system restore
- Commview - Packet sniffer

Bluetack Hosts file & Hosts File manager:
http://www.bluetack.co.uk/forums/index.php?showforum=125


Applications that have well worked for me in detecting or stopping trojans from installing to begin with:

Winpatrol
- http://www.winpatrol.com

Also my favourite program for monitoring changes to your system and giving you complete control over any changes before windows even boots up , plus system file protection and more is : REGRUN GOLD.

- http://www.wilderssecurity.com/regrungold.html

REGRUN Security Suite
- http://www.greatis.com/security/download.htm
- http://www.greatis.com/security/detail.htm

Outpost firewall
- http://www.agnitum.com
Outpost offers various protections against malicious software , spyware realtime monitor and spyware scanner based on their Tauscan trojan remover engine , also includes component control , hidden process control , and Blockpost - IP blocker [for importing Bluetack spyware blocklist :thumbup: ]


=======================================================================

ANTI-TROJAN PROGRAMS / TOOLS


- Well since Trojan Defence Suite (TDS-3) has now been discontinued , the next best alternatives are included here:

- Ewido
- http://www.ewido.net/en/?section=ess

- BoClean by Comodo Software now:
- http://www.comodo.com/home/internet-securi...nti-malware.php

- TROJANHUNTER -
- http://www.misec.net/trojanhunter/

- The Cleaner -
- http://www.moosoft.com/

- A² Trojan Scanner -
- http://www.emsisoft.com/en/

a² personal is primarily a Trojan scanner and remover. But beside Trojan Horses and Backdoors, it also detects other harmful software like Worm-Virurses, Dialer and other dangerous tools which are used by attackers to spy your files. The advanced background guard gives harmful programs no chance to get on your PC. As from now you have the full control over all active programs and their rights on your computer.

- http://www.spywarewarrior.com/uiuc/soft5.htm


ANTI-TROJAN forums:

http://forum.misec.net/ - Trojanhunter -

===========================================

- Anti-trojan program Comparison by Agnitum with their Tauscan trojan scanner:

http://www.agnitum.com/products/tauscan/compare.html

===========================================

Kaspersky AntiVirus , while not a trojan scanner , works extremelly well at detecting trojans and has powerful scanning features for detecting malicious files inside packed files , which many other AntiVirus programs miss.

http://www.kaspersky.com


DiamondCS ProcessGuard also needs mentioning..

While not a specific trojan scanner , it will prevent the installation of trojans , rootkits and rogue applications from disabling your security software..

DiamondCS ProcessGuard protects Windows processes from attacks by other processes, services, drivers, and other forms of executing code on your system. ProcessGuard also stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti-rootkit solution available.

Download from here :
http://www.tucows.com/preview/350786

NOTE: This software has become shareware. So please check for dewtails at the given link before.


A good firewall is also essential , which is why I recommend Outpost Pro.

Tiny Firewall Pro also has some very advanced features for locking down your system if you have time and the knowledge to configure it securely.


-----------------------------------------------------
- Free Tools that can help in Detecting Trojans:
-----------------------------------------------------

-Process Explorer-
-TcpView-
-Filemon-
-Portmon-
-Tdimon-
-Filemap-

* yes theres more...
http://technet.microsoft.com/de-de/sysinternals/default.aspx

------------------------------------------------------------------------------------------------------

GFI TrojanScan :

Is your system infected by Trojans?

Trojan horses are a huge security threat.
A Trojan is a program that can easily enter your computer undetected,
giving the attacker who planted the Trojan unrestricted access to the
data stored on your computer.
Trojans can transmit credit card information and other confidential data in the background.
Trojans are often not caught by virus scanning engines, because these are focused on viruses, not Trojans.
Catching such threats would require the use of a Trojan scanner
(a.k.a Trojan cleaner, Trojan remover, anti-Trojan).

- http://www.trojanscan.com/


-----------------------------------------------------------------------------------------------------------------------

- Back Officer Download:

Free - Back Officer Friendly "honeypot" attracts and traps attackers
Known as a "honey pot" for its ability to attract and trap hackers,
Back Officer Friendly (BOF) is a popular free download available exclusively from NFR Security, Inc.

Back Officer Friendly was originally created to detect when anyone attempts a Back Orifice scan against your computer.
It has since evolved to detect attempted connections to other services, such Telnet, FTP, SMTP, POP3 and IMAP2.

When BOF receives a connection to one of these services,
it will fake replies to the hopeful hacker, wasting the attacker's time,
and giving you time to stop them from other mischief.

you will need to fill in a form and a link will be sent to you via email to download the program.


======================================
----------------------------------------------------------------------------------------------------------------------------
======================================

The following examples are the results of a really simple old browser hijack which also installed a subseven trojan, recorded in early 2003 , which was blocked by Outpost and later killed.


-two .exe files were created upon infection:

- msrexe.exe and msdos.exe :

--------------------------------------------

C:\WINDOWS\System32\msrexe.exe
C:\Msdos.exe

Default trojan filename: RAT.AlexMessoMalex

UPX0 2576384 UXRW 00000000
UPX1 32768 DXRW bd57383b
UPX2 4096 DRW 273d1722

RegEnumKeyA
ExitProcess
GetProcAddress
LoadLibraryA
PostQuitMessage
Ordinal 115

--------------------------------------------------------------

Outbound connection was blocked by using Outpost firewall Pro V1 in block most mode , which denied the trojan access to the internet since there were no rules allowing it.... cool.. :thumb: B)

66.150.0.159-ortv098.hypermart.net#(trojan)
66.150.0.0-66.150.3.255,InfoSpace-Go2net#(trojan)


Block All Activity MSREXE.EXE TCP 2271 n/a Unknown 0*/00/2003 1:36:30 AM ortv098.hypermart.net *.*.*.*

Block All Activity MSREXE.EXE TCP 1278 n/a Unknown 0*/00/2003 11:30:30 PM ortv098.hypermart.net *.*.*.*

Block All Activity MSREXE.EXE TCP 1294 n/a Unknown 0*/00/2003 4:36:30 PM ortv098.hypermart.net *.*.*.*

Block All Activity MSREXE.EXE TCP 1202 n/a Unknown 0*/00/2003 4:21:30 PM ortv098.hypermart.net *.*.*.*


It was running for a little while , I was a bit too busy with other things to take care of it

----------------------------------------------------------------------------------------------------------------------


Ok , so every AntiVirus company likes to use a different name from their competition just because they can , its a competition after all and they are in business for themselves to make money, not to make it easy for people ..

That means you can get very confusing information when the same Trojan or Virus has six different aliases , and its the users problem to try and work it all out not any of the companies.


so this is symantecs version of the trojan name.. because I use NAV..

alias:
Backdoor.Jeem

From sysinternals process explorer :
\BaseNamedObjects\Jeem.p


Modules used by the process msrexe.exe running on the computer KonTr0L

Name Executable

ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
apitrap.dll C:\WINDOWS\System32\apitrap.dll
DNSAPI.dll C:\WINDOWS\System32\DNSAPI.dll
GDI32.dll C:\WINDOWS\system32\GDI32.dll
iphlpapi.dll C:\WINDOWS\System32\iphlpapi.dll
kernel32.dll C:\WINDOWS\system32\kernel32.dll
msvcrt.dll C:\WINDOWS\system32\msvcrt.dll
mswsock.dll C:\WINDOWS\system32\mswsock.dll
ntdll.dll C:\WINDOWS\System32\ntdll.dll
psapi.dll C:\WINDOWS\System32\psapi.dll
rasadhlp.dll C:\WINDOWS\System32\rasadhlp.dll
RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
USER32.dll C:\WINDOWS\system32\USER32.dll
winrnr.dll C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll
WS2_32.dll C:\WINDOWS\System32\WS2_32.dll
WS2HELP.dll C:\WINDOWS\System32\WS2HELP.dll
wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll
WSOCK32.dll C:\WINDOWS\System32\WSOCK32.dll


----------------------------------------------------------------------------------

SubSeven v2.1

SubSeven v2.1 can use four different methods to load itself.
It can use one or more of the methods mention below. To remove check all the alternatives below:


Open c:\windows\win.ini and look for the lines; run=MSREXE.exe load=MSREXE.exe
Delete 'MSREXE.exe' from these lines.
Open c:\windows\system.ini.
Replace the line; shell = Explorer.exe MSREXE.exe with shell = Explorer.exe
Run regedit.exe
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices
Delete any keys with the value; 'MSREXE.exe'
Run Regedit.exe
Go to
HKEY_CLASSES_ROOT\exefile\shell\open\command
If the trojan use this method to load itself, the value in this key will typically be"WINDOS \"%1\" %*"
Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.)

By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded.

A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program.
Reboot the computer and delete all infected files.


---------------------------------------------------------------------

Alternate Data Streams:

---------------------------------------------------------------------


NTFS has alternative data streams, which means that information can be hidden in your HDD without your knowledge or permission.

One way to use alternative data streams is to put a trojan horse in your computer and hide it in alternative data streams.

This could be a serious security issue.

Only ways to find out what alternative datastreams there are, is to download and use programs like TDS-3 , S-Find , ADS spy and others ..


Why is ADS a security risk?


The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of.

Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area.
But while streams can easily be used, they can only be detected with specialist software.

Programs such as Explorer can view normal parent files, but they can't see streams linked to such files, nor can they determine how much diskspace is being used by streams.

Because ADS is virtually unknown to many developers,
there are very few security programs available that are ADS-aware.

As such, if a virus implants itself into an ADS stream,
your anti-virus software will probably not be able to detect it.

In addition, streams cannot be deleted - to delete a stream you must delete its parent.

Streams are of particular importance to law enforcement agencies as important data
can sometimes be hidden in these covert file system channels.

Why does NTFS support streams?

The main (but not only) reason is for Macintosh file support.
Files stored on the Macintosh file system consist of two parts (known as forks) - one data fork, and one resource fork. Windows relies on the extension of the file (eg. ".exe") in order to determine which program should be associated with that file.
Macintosh files use the resource fork to do this.
NT stores Macintosh resource forks in a hidden NTFS stream,
with the data fork becoming the main parent file to the stream.

ADS has other uses.

As just one example, you could store a thumbnail image of a picture in a stream and even an audio track,
allowing a single file to have several multimedia components.
Some anti-virus programs store checksums in a stream under every file on your disk.


More info on Alternate Data Streams :

http://www.bleepingcomputer.com/forums/ind...showtutorial=25
http://www.windowsecurity.com/articles/Alt...ta_Streams.html

ADS scanning Programs :

CrucialADS - http://www.crucialsecurity.com/downloads.html

--

ADS Spy

Freeware
Operating System: XP/2000/2003/NT

http://www.bleepingcomputer.com/files/adsspy.php

Ads Spy is a tool used to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems.

ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4.

Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system. Use with caution.

---

you can get Foundstones S-FIND from;
http://www.foundstone.com/knowledge/prodde...ic-toolkit.html


----------------------------------------------------------------------------------------------------

This post has been edited by TheSentinel: May 29 2010, 07:46 PM

Reason for edit: Broken links corrected