Monday, July 24, 2006

Windows features in the security headlines: LSP & ADS

Technology news sites are highlighting a couple of longstanding Windows features that are being leveraged by malware authors. The features are layered service providers (LSP) and alternate data streams (ADS), which provide methods for network monitoring and file-hiding, respectively.

A little background is in order. Microsoft products have been under heavy attack lately by hackers using "fuzzing tools" such as Metasploit. Most recently, the author of Metasploit promised to release a browser exploit each day during July. So far, he's made good on his promise. Most of the attacks have targeted Microsoft's Internet Explorer.

Fuzzing tools perform brute-force alteration of file content such as web pages, Powerpoint files, etc. Their intent is to coax the native application to crash. Once a crash is detected, the malware author can attempt to inject executable code into the file. This would be a typical method for creating a trojan horse.

eWeek: Zero-Day PowerPoint attack uses LSP

A couple of days ago, eWeek noted an ominous zero-day attack against PowerPoint. Its intent appears to be corporate espionage. When the PowerPoint file is opened by a user, malware named Trojan.Riler.F installs itself as a layered service provider (LSP):

An LSP is a legitimate system driver linked deep into the networking services of Windows. It is used primarily to allow the operating system to connect to other computers, but virus writers have found a way to make malicious programs work as LSPs to hijack sensitive data during transmission.
Symantec, of Cupertino, Calif., said the Trojan also opens a back door on the compromised system and connects to the "" domain. The Trojan then listens and waits for commands from a remote attacker... [it] logs keyboard strokes, hijacks sensitive system data and transmit the information back to a remote server hosted in China...

Consider LSPs a lower-level form of Microsoft's browser helper objects (BHOs). BHOs are well-known in anti-virus circles as a primary means for infecting Internet Explorer with spyware- and adware-delivery systems. But BHOs focus primarily on users' web surfing. LSPs, on the other hand, are less well-known but far more powerful. They allow an attacker to inspect and/or hijack any  network traffic: instant messages, POP/SMTP email, etc.

Windows is the only operating system that supports LSPs and BHOs. It is unclear why Microsoft added support for low-level network monitoring features without also providing easy methods for reviewing and uninstalling packages that leverage them.

ZDNet: Rootkits hide using ADS

ZDNet reports that rootkits are getting better at hiding. The term 'rootkit' is a catch-all phrase that Wikipedia defines as, "...a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection." Whilst? Anyhow, ZDNet specifically describes the malware known as Rustock:

...To avoid detection, [it] runs no system processes, but runs its code inside a driver and kernel threads, Florio wrote. It also uses alternate data streams (Ed: emphasis mine) instead of hidden files and avoids using application programming interfaces (APIs). Today's detection tools look for system processes, hidden files and hooks into APIs, according to Florio's post...

What exactly are Alternate Data Streams (ADS)? ADS has been around since the advent of the NT file system (NTFS). Reportedly, they were added to NTFS in order to provide compatibility with HFS, the old Macintosh Hierarchical File System. HFS used multiple "forks" to manage its files: the data fork held the payload of the file while the resource fork held the file's metadata.

Is ADS a newly discovered threat? Actually, not at all. ADS has been recognized as a potential security threat for at least eight years:

...In July 1998, InfoWorld Security Watch columnists Stuart McClure and Joel Scambray wrote that NTFS alternate data streams present a threat to information security. McClure and Scambray maintain that malicious users can use alternate streams to hide infected code and that no existing antivirus product can detect or disinfect viruses within an alternate stream. Two years passed, and no one took steps to resolve the situation. In August 2000, two Czech hackers, under the pseudonyms Benny and Ratter, created the W2K.Stream virus. This virus, which cleverly uses alternate streams to carry infected files, is a harsh reminder of the NTFS feature's vulnerability...

That wasn't it. Windows IT Pro carried a similar warning in 2001. Ray Zadjmool, writing in Windows Security, rang the alarm claxons again in 2004. Yet he could accurately call the feature, "relatively unknown."

The following year (2005), Rick Cook could still call ADS 'little-known' despite the fact that SecurityFocus had explicitly called out the ADS threat:

...There has been a marked increase in the use of these streams by malicious hackers wanting to store their files once they have compromised a computer. Not only that, it has also been seen that viruses and other types of malware are being placed there as well...

...In the interest again of visually showing what these streams are and how they can appear once detected, a screenshot of before and after will be shown. The tools lads and lns were used to look for the streams on the Windows 2000 machine, both before and after the hack...

So, while ZDNet's article this week is noteworthy, ADS is hardly a new threat.

The real question: why does Microsoft continue to support ADS? Or, at the very least, why does it not provide a method for disabling its use?

Final Thoughts

If there are a few lessons we can draw from the experiences of LSP and ADS (and BHOs, for that matter), I'd propose the following:
  • Have an external security audit on software features that expose data to third-parties
  • Provide methods for completely disabling features that expose said data
  • Prompt the end-user whenever an application requests access to shared data
  • Provide a way for end users to review which applications are using data exposure tools
  • Offer end users an ability to opt out of sharing data with third-parties
  • Log everything 

In the mean time, beware the PowerPoint from parts unknown.

No comments: