bitnuts.de logo   Downloads About Contact

Obfuscating malware in NTFS Additional Data Streams

While analyzing some malware I found something stickyicky. The malware I found used NTFS Additional Data Streams (ADS) to obfuscate its autostart in the registry. NTFS allows to save additional data streams (ADS) since Windows NT 3.51. It seemed to me, that the authors used the following technique to hide and obfuscate their malware:

type evil.dll > c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor

In

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

I found:

rundll32.exe c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor,WindowsSecureStartup

Well, this is cool; although it will not trick a malware analyst.