How do we identify malware hooked into a legitimate file?
When hooked – the file size changes, functionality might differ. However, NTFS provide a feauture ADR (Alternate Data Stream) where we can hook any executable binary (say trojan) into any executable binary file (legitimate file) without any change. Even the MD5 hash remains the same.
C:\type c:\windows\system32\notepad.exe > calc.exe:notepad.exe
C:\start calc.exe ————— starts normal calculator program
C:\start calc.exe:notepad.exe ————— starts notepad.exe and surprizingly taskmanager show calc.exe in its processlist.
Unfortunately we cannot disable the ADS :(. and Md5 Hash is unchanged for both original and infected file.
Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.