Re: Displaying streams as xattrs

[ronnie sahlberg <ronniesahlberg@gmail.com>]

On Wed, 24 May 2023 at 08:34, Jeremy Allison <jra@samba.org> wrote:
>
> On Wed, May 24, 2023 at 07:44:36AM +1000, ronnie sahlberg wrote:
> >On Wed, 24 May 2023 at 02:25, Jeremy Allison <jra@samba.org> wrote:
> >>
> >> On Tue, May 23, 2023 at 10:59:27AM +1000, ronnie sahlberg wrote:
> >>
> >> >There are really nice use-cases for ADS where one can store additional
> >> >metadata within the "file" itself.
> >>
> >> "Nice" for virus writers, yeah. A complete swamp for everyone
> >> else :-).
> >
> >Viruses? I don't think they use ADS much since most tools under
> >windows understand ADS.
>
> https://insights.sei.cmu.edu/blog/using-alternate-data-streams-in-the-collection-and-exfiltration-of-data/
>
> "Malware that takes advantage of ADSs is not new. MITRE lists over a
> dozen named malware examples that use ADSs to hide artifacts and evade
> detection. Attack tools, such as Astaroth, Bitpaymer, and PowerDuke,
> have been extensively detailed by various parties, providing insight
> into how these threats take advantage of ADS evasion on a host system.
> Authors, such as Berghel and Brajkovska, downplay the risks of ADSs. Our
> opinion, however, is that ADSs introduced the host of concealment and
> obfuscation techniques outlined above, but little has been done to
> mitigate these worries since their publication in 2004."
>
> As I also recall the published US "hacking toolset" also used
> an ADS on the root directory of a share to exfiltrate data
> from the target.
>
> ADS - "Just Say No !"

I think that is a flawed argument.
It only really means that the virus scanners are broken. So we tell
the virus scanner folks to fix their software.
Viruses hide inside all sort of files and metadata.
There are viruses that hide inside JPEG files too and some of them
even gain privilege escalations through carefully corrupted JPEG
files.
We fix the bugs in the parser, we don't "drop support for JPEG files".

ronnie s

>
> :-).