Continuing off yesterday’s post about how malware covers its tracks when communicating over the network, today I want to highlight two ways in which malware hides itself from discovery on an infected system.
Both of these are Windows-specific techniques. The first exploits a feature of the file system (NTFS), and the second piggybacks onto the automated backup system.
Alternate Data Streams (ADS)
By using an ADS, malware can hide itself within legitimate files or processes. When the malware is written to disk, it can look something like this:
type d:\evil.exe > C:\windows\system32\regedit32.exe:evil.exe
Now, the malware executable exists alongside your registry editor. It cannot be seen through any normal file viewing, and nothing appears different about the registry editor. There are a few ways to detect an ADS. There are a couple utilities (LADS and Streams), which enumerate any ADSs in a directory, but obviously you have to suspect it is there first. The lower-tech route is to monitor the disk usage of the operating system. Although the ADS doesn’t show up as taking any additional space on the file it’s attached to, it still takes up sectors on the drive. So, if you check for a discrepancy between the disk space used by every file on the system and the actual space available on your disk, you might be able to detect if an ADS was introduced to the system.
Volume Shadow Copy Service (VSS)
There is a great write up about this on Pauldotcom.
This is a feature on newer versions of Windows where the system periodically creates backup images of the file system (Volume Shadow Copies) for emergency recovery. Malware can back itself up onto a custom VSC where it becomes a far more difficult target. Antivirus cannot scan it there, users can’t find it, but it can still be mounted and executed from there.
So remember, just because the antivirus gives your computer a clean bill of health, that doesn’t mean there can’t be something hiding in the shadows of you system.