Kaspersky Lab Int. is solving the problem of ADS NTFS viruses
On September 4, 2000, Kaspersky Lab Int. released
a warning about the appearance of the W2K.Stream virus; the first known
malicious code, which uses the alternate data streams (ADS) of the NTFS file
system. Unfortunately, many anti-virus companies worldwide did not recognise
this as a serious problem and mislead their users by classifying the threat
as a low.
Kaspersky Lab considers it necessary to reconfirm its position on this matter
and declares once more that the use of ADS in Windows 2000 by virus writers poses
a serious potential threat for both home users and coporate-wide networks. By
continuing to ignore this new method of infection, anti-virus companies risk another
The main problem is that no existing anti-virus scanner has an ADS checking
feature. Thus, a virus or a Trojan horse is able to hide without any fear of
being found. One solution could be to use a resident anti-virus monitor. However,
even then, protection cannot be absolute, as not all of these programs support
ADS. The situation may be even more alarming, since most users (especially corporate
ones) prefer to check for viruses using scheduled scanners rather than monitors
that place a greater demand on system resources and reduce the system's stability.
The main argument--which some anti-virus experts are putting forward refuting
the seriousness of the threat--is the necessary modification of the main NTFS
stream by the implantation of a "starting code," which activates the virus from
the ADS. So, the reasoning goes, anti-virus scanners will detect this modification.
This argument is flawed, because the procedure for the finding of the "starting
code" seems to be extremely problematic, since this code does not differ from
any other subprogram calling data from the ADS. Just
imagine how many false positives will occur by using this method of detection.
Also, to disprove this argument, Kaspersky Lab specialists have carried
out a series of experiments and have found several methods to get around this
condition in Windows 2000.
"We do not intend to make a manual out of this press release for virus writers
on how to create new viruses, which is why we are leaving out a description
of the methods used. We should stress, however, these methods are so simple
and obvious that they will soon be discovered by any interested person," said
Eugene Kaspersky, Head of Anti-virus Research at the company.
There are other arguments against the seriousness of the threat, such as the
fact that ADS modification in protected Windows directories is not possible
because of the built-in defence. This assertion is completely false, since this
protection does not operate under Windows 2000.
Kaspersky Lab emphasises once more that viruses in ADS are a serious
threat, and should not be underestimated.
"Unlike creating an antidote for a new macro-virus that takes just a couple
of minutes, anti-virus companies will require at least one week to add ADS support.
When true ADS-viruses appear, users will be without any protection until their
anti-virus software has been upgraded," said Denis Zenkin, Head of Corporate
Communications for Kaspersky Lab. "We consider that the scanning of all
alternative streams has to become an essential attribute of every up-to-date
anti-virus software. Taking this into account, we have already added the anti-virus
support for NTFS alternative streams to Kaspersky Anti-Virus 3.5 (AVP), which
will be released this week."