Windows 2000 Viruses: Anti-Virus Company Mistakes Might Result in Some Major Headaches

10 Sep 2000
Virus News

Kaspersky Lab Int. is solving the problem of ADS NTFS viruses

On September 4, 2000, Kaspersky Lab Int. released a warning about the appearance of the W2K.Stream virus; the first known malicious code, which uses the alternate data streams (ADS) of the NTFS file system. Unfortunately, many anti-virus companies worldwide did not recognise this as a serious problem and mislead their users by classifying the threat as a low.

Kaspersky Lab considers it necessary to reconfirm its position on this matter and declares once more that the use of ADS in Windows 2000 by virus writers poses a serious potential threat for both home users and coporate-wide networks. By continuing to ignore this new method of infection, anti-virus companies risk another virus epidemic.

The main problem is that no existing anti-virus scanner has an ADS checking feature. Thus, a virus or a Trojan horse is able to hide without any fear of being found. One solution could be to use a resident anti-virus monitor. However, even then, protection cannot be absolute, as not all of these programs support ADS. The situation may be even more alarming, since most users (especially corporate ones) prefer to check for viruses using scheduled scanners rather than monitors that place a greater demand on system resources and reduce the system's stability.

The main argument--which some anti-virus experts are putting forward refuting the seriousness of the threat--is the necessary modification of the main NTFS stream by the implantation of a "starting code," which activates the virus from the ADS. So, the reasoning goes, anti-virus scanners will detect this modification. This argument is flawed, because the procedure for the finding of the "starting code" seems to be extremely problematic, since this code does not differ from any other subprogram calling data from the ADS. Just imagine how many false positives will occur by using this method of detection.

Also, to disprove this argument, Kaspersky Lab specialists have carried out a series of experiments and have found several methods to get around this condition in Windows 2000.

"We do not intend to make a manual out of this press release for virus writers on how to create new viruses, which is why we are leaving out a description of the methods used. We should stress, however, these methods are so simple and obvious that they will soon be discovered by any interested person," said Eugene Kaspersky, Head of Anti-virus Research at the company.

There are other arguments against the seriousness of the threat, such as the fact that ADS modification in protected Windows directories is not possible because of the built-in defence. This assertion is completely false, since this protection does not operate under Windows 2000.

Kaspersky Lab emphasises once more that viruses in ADS are a serious threat, and should not be underestimated.

"Unlike creating an antidote for a new macro-virus that takes just a couple of minutes, anti-virus companies will require at least one week to add ADS support. When true ADS-viruses appear, users will be without any protection until their anti-virus software has been upgraded," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "We consider that the scanning of all alternative streams has to become an essential attribute of every up-to-date anti-virus software. Taking this into account, we have already added the anti-virus support for NTFS alternative streams to Kaspersky Anti-Virus 3.5 (AVP), which will be released this week."