Original filename: auth.pdf
This PDF 1.4 document has been generated by Adobe InDesign CC 13.0 (Windows) / Adobe PDF Library 15.0, and has been sent on pdf-archive.com on 01/02/2018 at 14:29, from IP address 176.153.x.x.
The current document download page has been viewed 641 times.
File size: 2.5 MB (11 pages).
Privacy: public file
Download original PDF file
Nº01 - FEB 2018
First of all thank you for taking the time to read the very first edition of Authenticate Magazine by the
Security group. This project started as an idea while speaking with Assass@in and myself (The Worker).
While reading Authenticate you will be aware of the latest news concerning website security, computer
security, cryptocurrency, coding and much more. We are a small team taking some time off our real life to
write about subjects we are passionated about to keep you updated and maybe teach you something you
didn’t know, well that would the MUST for us, helping members learn something new.
This being the first Edition we are still learning how to come up with an interesting magazine and how to
deliver it as we idealize it. I’d like to thank all the people that have been involved in helping Auth all the
way to its release. We have seen people come and go and unfortunately we weren’t able to write about all
the different subjects Authenticate was suppose to cover. I still hope you will be able to appreciate the
material that has made into the finished product and that you will be inspired to contribute for the next
The magazine will be released every month and should see an increase of topics and contributors with
4-5. Authenticate Magazine’s Team Introductions
The content creators have written every article themselves and they were then submited to the editors
that corrected all the mistakes and formatted them to make it easier for you, the reader to understand.
Everything was then posted in the sub-forums and my job was to create the entire design of the Magazine
and to create visual themes around each topic written by the content creators. I guess you undertand this
wasn’t an easy task and that hours have gone into this project. I insist again on the fact that we count on
you to want to contribute and become a part of the Magazine; the Security group will always have its doors
open to people that desire to be involved in its development. I hope you will be able to appreciate the
visual aspect of the Magazine. I will never be able to thank enough, my dear Authenticate Magazine team
for following the project till the end and encouraging me to get the work done.
6-7. Malware News by Assass@in
8-9. International Security News by BowmanBot
10-11. Coder’s Report by Kuudere
12-13-14. Cryptocurrency Report by Thomas Shelby
We don’t claim to have made something fantastic but we are just happy and proud to share with you
something we all wanted to accomplish. If you are a grammar nazi and find any spelling mistake or have
something to say to improve this edition, please do and I’ll update it accordingly.
15-16. How Stuff Works by Assass@in
Enough of me talking, I hope you have a good read and if you enjoyed it we encourage you to drop us a
comment on the thread.
17. Software Review by Assass@in
The Worker, Assass@in and the rest of the Authenticate Magazine team.
18. Last Words
Kuudere - zunzutech
First dabbling in the field of malware and malware removal at the of 15,
AsSaSs@in dove head firt into the world of malware in the years to follow helping thousands of users on a number of online forums including
GeeksToGo, WhatTheTech, Geek Police and more. While his passion to
help members in need spread far, he still callerd Hack Forums his 127.0.0.1
where he has been a member for almost 10 years? AsSaSs@in is looking
forward to sharing some knowledge and history he finds pretty neat in the
ever evolving fields of malware and the Windows opertating system.
Feel lucky he already gave you his name...
Hello ! I joined HackForums scouting for GFX packs and tutorials.
Seeing the array of developers and hackers on the forums (cough)
back then I got hooked on these matters as soon as I joined in 2012.
As soon as I heard of Backtrack I got my hands on it and started exploring and pen testieverything I could. IRL I’m a computer technician in France and I love card magic as well as playing guitar. I have
a flat with my girlfriend (she has HF !) and I’m currently writing a
novel which I hope you will be able to read soon...
Currently, my time is consumed the most by reading about cryptocurrencies and analyzing them technically, studying, making money
and working out. When I’m not looking at charts I’m either looking
to make cash (building websites, etc) or studying. In my free time
usually, late at night, I enjoy relaxing my mind and body by working
out and taking stimulants.
I started on Hack Forums back in 2013 and have recently increased
my activity on the forums. I am a business student who is active
in the political scene in my home country. I enjoy following international relations and politics. My role on Hack Forums is to help
fellow members on a philosophical stand point as well has aid them
in improve their skill set. I live my life as an Altru-Hedonist and am
always willing to help anyone who needs it. My knowledge on programming is fairly limited but I make up for it in my business and
philosophical skills. Always Learn. Always Improve. Always Progress.
Aerodactyl is a man that knows his way around a sentence. He
spends much of his free time with his nose buried in a Kindle. He is
also currently a student focusing on the figurative mountain of work
required to obtain his degree. His willingness to aid others is what
drew him to offer himself to Authenticate.
Malware and Windows OS Content Creator
Authenticate Magazine Leader - Ethical Pen-tester
Entrepreneur and Philosopher
Windows developer and malware reverse engineer
Cryptocurrency Reporter/Trader/Investor & Entrepreneur
Authenticate “Grammar Nazi”
North Korean Holds
In late December it was formally confirmed
by the USA that the WannaCry ransomware
was indeed developed in the Democratic Peoples Republic of Korea (DPRK), this confirms
earlier allegations made by Microsoft president
and the UK National Cyber Security centre.
WannaCry is classified as Ransomware, this
means that once the file gains access to the
users system it encrypts the data using a special encryption key developed by the malware
producers and renames all file extensions to .
This renders the users machine unusable and
they are presented with a ‘ransom’ note (where
the term ransomware derives its name from).
This ransom note is similar to what you have
seen in movies, pay the fee and receive the encryption key. For more information regarding
ransomware in general, checkout our Malware
Mugshot. The initial ransom cost is $300 USD,
72 hours after the infection has been present
the cost for ransom will increase to $600USD, 7
Days after infection will see the deletion of the
users files until the machine is inoperable. The
devleopers behind WannaCry have abused the
anonymity and international worth associated
with cryptocurrencies that we all at Hack Forums have come to know and love. This comes
as another blow to the presence and reputation
of cryptocurrency as a legitimate payment method.
1. TO TURN ON AUTOMATIC UPDATES:
SELECT THE START BUTTON,
THEN SELECT SETTINGS > UPDATE &
SECURITY > WINDOWS UPDATE .
IF YOU WANT TO CHECK FOR UPDATES
MANUALLY, SELECT CHECK FOR UPDATES.
2. SELECT ADVANCED OPTIONS,
THEN UNDER CHOOSE HOW UPDATES
ARE INSTALLED, SELECT AUTOMATIC
There have been several generations of WannaCry, each as devastating as the last. Infecting
multi-billion dollar companies and their networks seems to be their modus operandi. This
list includes Honda, O2 and FedEx to name a
few! In a modern era where economically we
rely on our systems to operate businesses, it comes as no surprise the devastating effects this
has for businesses and their end customers.
“So why not decrypt it?” I hear you saying. WannaCry uses leaked tools from the National Security Agency (NSA) and RSA-2048 encryption
a type of assymetric encryption where it is near
impossible to generate a decryption key.
WannaCry originally gains access to your system bundled in email links, advertisements
and Dropbox links. It exploits vulnerabilities
in the Window operating system – the exploits
used has evolved as Microsoft releases patches
to older versions of the malware. This is evi-
dence alone as to how important it is to ensure
you have the latest version of Windows installed on your system – it is best practice to have
automatic updates enabled and allow Windows to install them as they become available.
The exploit known as EternalBlue (MS17010) sparked a patch release in May of 2017.
However, as users on larger networks don’t
update their operating system, they continue
to remain vulnerable to this attack. The colonizing malware gains access via the medium
(files downloaded by the user), scans for the
vulnerability and if detected calls for keystone
malware to be downloaded and executed on
the system delivering the final blow. It would appear that the Russian citizens were the
most frequently hit by these attacks based off
So, how did these bodies determine the strong
link between North Korea (DPRK) and WannaCry? Well it turns out it’s a combination of
linguistic analysis of the ransom notes left of
peoples systems and some reverse engineering of the files and methods of infection.
Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese
and proficient in English, as the versions of
the notes in those languages were probably
human-written while the rest seemed to be
Forensics carried out independently by
Kaspersky and Symantec revealed that there
is some shared code between known Lazarus
tools and the WannaCry ransomware. Symantec has determined that this shared code is a
form of SSL. This SSL implementation uses
a specific sequence of 75 ciphers which to
date have only been seen across Lazarus tools
(including Contopeeand Brambul) and WannaCry variants. While this is not definitive evidence of it’s association, it definitely warrants
Number of unique users per month attacked by Ransomware:
Who is Lazarus? Lazarus Group is a cybercrime
group made up of an unknown number of individuals. Not much is known of those within Lazarus, however, we dp know much more about
their tactics. The earliest known attack that the
group is responsible for is known as “Operation
Troy”, which took place from 2009–2012. This
was a cyber-espionage campaign that utilized
unsophisticated distributed denial-of-service
attack (DDoS) techniques to target the South
Korean government in Seoul. A number of attacks over the past 10 years has seen a possible
cultivation of over $150 million USD.
One can’t help but speculate the origins of this
malware and its justification for it’s development. Following greater international pressure
and restrictions on trade with North Korea, I
don’t think that this is the last we will see of
Article by ASSASS@IN
One of the earliest known malware infections
was the ‘Pikachu Virus’, sometimes referred to
as the ‘Poke Virus’.
The Pikachu virus was a 32kb worm that was
spread via emails targeted at younger individuals and is the modest origins of what would
be a class of malware to remain prominent for
decades. The VB6.0 coded PikachuPokemon.
exe when downloaded would modify the ‘autoexec.bat’ file within the early Windows operating system. Autoexec.bat was a script file
used in the earlier versions of Windows operating systems including Windows 3.x and 95
and was responsible for executing a number
of commands through command prompt upon
The Pikachu virus would insert its own code
into autoexec.bat to be launched at startup.
Distinguishing features: file encryption, ransom demand.
Nature: Encrypts files and holds users system
ransom. Demands payment in bitcoin in return for the decryption key.
Access: Exploits Windows vulnerabilities.
Notable Strains: WannaCry, CryptoLocker
CONTINUED NEXT PAGE
THE PIKACHU VIRUS
Cures: Specific decryption tools for strain, restore from shadow backup, close system until
decryption key released, reformat.
Prevention: Update Windows, Active up-to-date Antivirus/Firewall, Anti-ransomware tools.
The Pikachu virus would therefore attempt to
destroy the user’s machine by permanently
removing critical system files from within the
operating system. Fortunately, the user would
be prompted asking for permission for these files to be deleted which would generally arouse
suspicion in most amateur PC users. This flaw
in its execution may be the reason why it was
not more effective in causing widespread issues throughout users systems.
Nevertheless, it’s fascinating to
look back on this worm and see
how such a simple idea has evolved maliciously into modern day
worms like the Daprosy and BuluBebek worms.
The autoexec.bat function was
done away within one of Windows greatest successes, Windows XP. Since the evolution of
the Windows operating system
and the hardware accompanying
it we see a much more complex
system architecture than that of
the humble autoexec.bat.
In order for malware to exploit
these systems with increasing
complexity we are naturally
seeing malware that is of an increasing complexity in nature.
The malware we see today can be
capable of altering master boot
records, exploiting Windows vulnerabilities and prophylactically
scanning a users system for these vulnerabilities before executing their malicious code either
stealing sensitive information,
demanding ransom or rendering
a system inoperable.
One can only imagine where our
WannaCry and TDSS infections
will evolve to in the next 20 years.
IRAN CRISIS - KOREA & WINTER OLYMPICS - CHINA & CRYPTOCURRENCY
The Crisis in Iran
Abstract of Center for Strategic & International Studies
ince the Iran-Iraq War started, we have
seen growing tension between Iran and
most of the Arab world. It is a massive
arms race that has helped push Iran towards developing nuclear weapons, seeking military influence over Arab states,
deploying long-range missiles, and creating major forces for asymmetric warfare
in the Gulf. Iran’s military forces now total
some 523,000: 350,000 in the army; 125,000
in the Islamic Revolutionary Guard Corps
(IRGC); 18,000 in the Navy; 30,000 in the
Air Force; and at least 40,000 paramilitary
forces like the Basij.
Iran’s security forces also conscript or
process well over 100,000 young men a
year for at least 21 months of service. This
does not mean that most Iranians support
the efforts of the Supreme Leader and the
IRGC to expand Iran’s influence and
control in the region.
The National Council of Resistance of
Iran (NCRI) and The People’s Mojahedin
Organization of Iran (PMOI) (aka Mojahedin-e Khalq or MEK ) have not shown
that they can command serious public
support, and some sources report that the
PMOI has a past history of terrorism in its
struggle against the Shah and Khomeini.
With the outbursts of protests and violence in early 2018 are a major indicator
that more protests will follow through the
year. It is looked as that the Iranian government made a mistake by relying on repression rather than reform.
The regime is currently under massive
political and social pressure as well as
serious economic pressure which makes
changes all the more foreseeable. Calls for
regime change by the U.S. or any outside
state will most likely provoke a reaction
that will not be by any means popular.
Important Economic Factors to note:
· Iran’s problems have been heavily
shaped by outside forces.
· The crash in oil prices on Iran radically cut Iran’s earnings.
· Sanctions hit first and then the crash
in oil and petroleum prices.
· The true nature of oil wealth in Iran
is very low in per capita terms.
· Iran is oil poor compared to most
other exporters in the Gulf.
· The JCPOA did little more than
partially compensate Iran for the
crash in world oil prices.
· Iran has had twice the level of
inflation as GDP growth, static
drops in current per capital income.
Household income has dropped
sharply over time.
· Iran’s per capita income lags badly
behind most of its neighbors.
· Unemployment and Labor
Participation Rates are critical
North Korea, South Korea and the Winter Olympics
Abstract of Reuters
North Korea’s participation in the Olympics has been seen as a win for Moon,
who hopes to use the event to make a
diplomatic breakthrough in the standoff over North Korea’s nuclear and missile program. It also eases public concerns that the North might upstage the
Games with yet another weapons test.
“NORTH KOREA WAS ALL
LAST YEAR, BUT SUDDENLY
THEY WANT TO COME TO THE
SOUTH FOR THE OLYMPICS?
WHO GETS TO DECIDE THAT?,”
Both North and South Korea will march
under a unified flag with a joint hockey
team for the 2018 winter Olympics but
this has not come without controversy.
Outrage by the citizens of South Korea
has shown the public are less committed
to the idea of a united Korea than past
generations. However Moon has taken
the participation of North Korea in the
Winter Olympics as a win and hopes to
use this as a diplomatic breakthrough on
a situation that has lasted for 60 years.
KIM JOO-HEE, A 24-YEAR-OLD
TRANSLATOR TOLD REUTERS
DURING A COFFEE BREAK ON
A CHILLY SEOUL AFTERNOON.
“DOES NORTH KOREA HAVE
SO MUCH PRIVILEGE TO DO
WHATEVER THEY WANT?”
Talks between the two countries holds a
special significance due to the fact that
for the last 4 years there has been no
communication between governments.
With North Korea developing long range
missiles, this step forward brings ease
to much of the world and heightens hope
for negotiations with UN to go through.
China and Cryptocurrency
Abstract of Bloomberg News
It has been talked about for a long time that China
has been looking into clamping down on cryptocurrency trading. We recently saw the effect of this with
the correction on January 17th. While authorities
placed a ban on cryptocurrency exchanges last year
much of the population have found loopholes to get
around law enforcement. The new move by China
is to target individuals and companies that provide
market making, settlement and clearing services for
The reason for China’s recent action would be the
concerns over excessive speculation, money laundering and tax evasion. Up until last year China had
the most active market for exchanges but even with
companies and the consumer looking elsewhere for
trading the effort by authorities has made a limited
impact. China’s Central Bank, as well as the local
authorities, are calling for an end to the booming
industry. With the action of the China Central Bank
many other countries are following in their footprints and are calling for a regulation at an “International Level”.
WHAT DOES THIS MEAN FOR US?
CURRENTLY THERE IS NO WAY FOR US TO TELL
WHERE THE WORLD OF CRYPTOCURRENCY IS
HEADING. WITH A SMALL DECREASE OF UNCONFIRMED TRANSACTIONS AT THE BLOCK CHAIN,
FEES ARE STILL HIGH AND WITH THE CHAINS END
IN SIGHT IT MIGHT BE TIME TO PUT INVESTMENT
INTO OTHER COINS. THE SPECULATION OF THE
CURRENT PRICE OF BITCOIN IS THAT IT IS STILL
TOO HIGH BUT ONLY TIME WILL TELL.
Process Doppelganging is a newly discovered injection method that bypasses all AVs HIPs engine. As it
has only been discovered recently, I have yet to see
any public malware samples that utilise it, so all we
have to base our research on is the initial paper on
the injection method. The original paper can be found here.
In short, Process Doppelganging relies on a feature
called NTFS transaction, which allows you to write
to a file without the data being actually written and
then choosing to either commit or discard it. Process
Doppelganging relies on this to write the malicious
payload using a NTFS transaction which results in the
file only being modified within the transaction’s context. After that, a section object is created using the
NtCreateSection API from the modified file and the
transaction is undone with the RollbackTransaction
API. Once this is complete, NtCreateProcessEx is called with the malicious section passed as a parameter
and then execution is resumed in the remote process.
The call chain goes as follow:
CreateTransaction ==> CreateFileTransacted ==> WriteFile ==> CreateSection ==> NtCreateProcessEx ==>
RtlCreateProcessParametersEx ==> VirtualAllocEx
==> WriteProcessMemory ==> NtCreateThreadEx
As we can see, the usage of suspicious apis such as
WriteProcessMemory, NtMapViewOfSection and
SetThreadContext is minimal, and the image is loaded by the Windows PE loader rather than written
into memory using WPM resulting in a much more
legitimate looking process. It is very likely that we
will see a threat actor abusing this method to execute
their payload in the near future, and we need a way
to quickly analyse, unpack and detect threats before
they can cause damage. As detecting is the job of AVs, I’ll be
writing an unpacker for this injection method. With most
automated unpackers that deals with normal injection methods, a DLL is injected into the malicious process prior to
its execution (it is started with the CREATE_SUSPENDED
flag and resumed after the dll is injected) and hooks are placed in APIs abused for code injection such as NtWriteVitualMemory or NtMapViewOfSection.
Unpacking a payload executed via Process Doppelganging
is no different from unpacking one executed by a runpe
that relies on the WriteProcessMemory API, we set hooks
and catch the attempt to write the payload. However, for
the best performance and results, we do not place hooks at
WriteFile (which is used to write the malicious payload) but
instead ntdll!NtWriteFile as many malware authors decide
to call ntdll to bypass any hooks placed in kernel32. Most
antivirus HIPs do not hook kernel32 either, they either place
inline hook on ntdll or perform other methods of hooking
in usermode as kernel32 hooking is effectively useless
unless you are dealing with trashy HF-tiered malware.
I decided to fork the project PackerAttacker and add the hooks to it instead
of starting a new project on my own
because it already has support for unpacking some other methods used by
packer to execute malware. The project
can be found on GitHub. The project
required some slight modifications for
prime performance (as it was compiled
with /MD rather than /MT leading to the
VC++ runtime being required for the
unpacker to work) but other than that it
was perfect as a base for the unpacker.
The Project can be found on GitHub:
The unpacker can (and will) be improved greatly such as by using better
hooking methods (Wow32Reserved
hooking to intercept syscalls or hooking
x64 ntdll) but that’s for another time, for
the purpose of this post this is all that
will be demonstrated.
Article by Kuudere.
After the placement of hooks we need to check the data that
is written and see if it is the malicious executable that we
are looking for or not. A custom function for checking the
buffer to see if a PE file is being written (hint: checking for
the magic, MZ) is added and if the payload is in fact a PE
file, we log this and dump the file. After that, we call the original NtWriteFile and resume execution. For logging purposes, CreateFileTransactedW and NtRollbackTransaction are
hooked in order for us to see whether the NtWriteFile call
was executed inside a NTFS transaction or not.
Brought to you
by Thomas Shelby
To start off our first edition of the Cryptocurrency Report of Authenticate Magazine, I want to say that the market is
slowly but surely recovering from the big dip it took. During the past few days, BTC has been hovering between ten and
thirteen thousand dollars while it is down about twenty percent in the last ten days. The downtrend is still continuing by
the looks of the chart at this moment.
Below you can find the changes in the Coin Market Cap top ten list sorted by market cap:
The biggest change is that NEO has managed to knock IOTA out of its place in the top ten list. One of the reasons might
be the negativity going around that people lost their IOTA because they got hacked. People have used third-party online
seed generators which have led to third parties gaining access to private seeds.
Crypto World News
Surprise, surprise, BitConnect has officially closed
on the 16th of January. The company says they
will not give up despite all the negative comments,
according to them we will see a comeback soon.
Whether this will be the case is of course very
doubtful since the lending platform has legal issues
currently and because of the vast wave of negativity, which is deserved. The owners are anonymous
and there are many question marks that come up
while researching tthe company. Overall, as is generally known, you should stay out of the way of BitConnect.
In Europe, Bruno Le Maire, the French finance
minister, announced that he will make joint proposals to Germany at the G20 summit in Argentina
this March. These proposals will be focused on the
regulation of Bitcoin, if we were to look at what Le
Maire says we can probably expect regulations to
take into account all cryptocurrencies rather than
solely Bitcoin. The finance minister of Germany
is, by the looks of it, agreeing with his French colleague as he tells us he wants to “reduce the risks”
for their citizens. This is the last thing crypto enthusiasts are looking for, governments working
together to regulate and steer cryptocurrency in a
Mitsubishi UFJ Financial Group, the fourth largest
bank in the world by total assets, has announced
their own cryptocurrency and exchange! There is
not an official date but many reports are saying the
cryptocurrency together with its exchange will be
released in March of this year. The Japanese bank
will allow its clients to link their accounts to an exchange and trade cryptocurrency without the actual money being transferred to the trading company
yet. Their clients will be protected from hacks and
bankruptcy of the trading company. There are also
collaborative initiatives from Japanese and South
Korean banks using Ripple to transfer money, all in
all besides the general negative news recently there
is a lot of positivity coming from Asia.
More good news from the east, Alibaba will launch
a mining platform for cryptocurrencies. It is called
“P2P Nodes” and it will most likely include another not yet known company. With the steps against
crypto mining China has taken and the known
skepticism of Alibaba’s CEO, it is a surprise to see
them taking such a step into the crypto world. The
country’s internet has been heavily censored for a
while now and it is quite possible that it might ban
access to cryptocurrency exchanges and trading
platforms in general. This will have major consequences for the global crypto market if it loses one
of its biggest investor countries.
Stellar and NEO are the only coins in the top twenty that are not affected by the dip currently. Despite
all that is going on in China NEO is holding strong.
Stellar is gaining more popularity than Ripple at
this moment, as it is looked at as a coin for “the
people” rather than what Ripple is aiming for as
a coin for banks and multinational corporations.
Especially in the current climate as the people are
uniting for crypto freedom while governments
are vying for regulation, this can have substantial,
Lastly, since it is still early in the year I want to talk
about how far we have come with cryptocurrency
so far, especially the past year. The market cap of
Bitcoin has gone up from 15 billion to 185 billion
at the moment of writing this article. Besides the
market cap rising we can see a lot of growth in the
crypto industry, from crypto t-shirts being sold to
hardware wallets and even hearing the word “Bitcoin” coming from your parents or the people next
to you on public transportation. The Nano Ledger
hardware wallet is no exception as it increased sales
by thirtyfold, selling over a million hardware wallets during the past year. One thing is for certain,
cryptocurrency is most likely here to stay, in whatever form that may be there is still the opportunity
to make yourself profit!
Article by Thomas Shelby
How stuff works
Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which
provides the ability to put data into existing files and folders without affecting their functionality
and size. Any such stream associated with file/folder is not visible when viewed through
conventional utilities, such as Windows Explorer or DIR command or any other file browser tools.
It is used legitimately by Windows and other applications to store additional information (for
example summary information) for the file without altering the file’s size. Even ‘Internet Explorer’
adds the stream named ‘Zone.Identifier’ to every file downloaded from the internet.
A visual representation of ADS:
This is another well known stream created by Internet Explorer for every downloaded file. It is
basically text stream with size normally less than 50 bytes.
to this hidden nature of ADS, hackers have
a stream with
the file ‘Thumbs.db’.
Rootkit components on the compromiThis
to the favorite links stored by Internet Explorer.
is stream of
‘Mailbot.AZ’ aka ‘Backdoor.Rustock.A’ used to
Stream for yourself: Iron Geek has published a public tutorial on
to create your ownas
to further understand what is being spoken about
data stream, the Hack Forums Malware Removal Team
love to help you out. Head over to White Hat Malware, Virus, and Rat Removal Help and
is created by Windows when user
updates the summary information for the file.
This stream is created by Windows when user
updates the summary information for the file.
Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their
Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named ‘Mailbot.AZ’ aka ‘Backdoor.Rustock.A’ used to hide its driver file into system32 folder (C:\Windows\system32) as a stream ‘18467’.
Some Well Known Alternate Data Streams:
This stream is created by Windows when user updates the summary information for the file.
This stream is created by Windows when user updates the summary information for the file.
This is stream with zero size created by Windows when user updates the summary information for