Jump to content
begood

StreamArmor - Advanced Tool to Scan & Sweep Malicious Streams

By begood, in Programe securitate

Recommended Posts

begood Newbie

begood

Posted
Posted

About StreamArmor

StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams.

It comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.

It has built-in advanced file type detection mechanism which examines the content of file to accurately detect the file type of stream. This makes it great tool in forensic analysis in uncovering hidden documents/images/audio/video/database/archive files within the alternate data streams.

StreamArmor is the standalone, portable application which does not require any installation. It can be copied to any place in the system and executed directly. What is Alternate Data Stream (ADS) ?

Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools. It is used legitimately by Windows and other applications to store additional information (for example summary information) for the file. Even 'Internet Explorer' adds the stream named 'Zone.Identifier' to every file downloaded from the internet.

Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.

In short, ADS provides easy way to store the malicious content covertly as well as execute it directly without making even a bit of noise. Only sophisticated tools such as StreamArmor has the ability to discover and destroy these hidden malicious streams.

For complete details on 'Alternate Data Streams' please refer to the following article

'Exploring Alternate Data Streams' Feature Highlights of StreamArmor

Here are the highlights of prominent and unique features of StreamArmor which makes it stand apart from other existing tools in the market.

  • Fast, multi threaded ADS scanner to quickly and recursively scan entire computer or drive or just a folder.

  • 'Snapshot View' for quick identification of selected stream and faster manual analysis.

  • Option to 'Ignore Known and Zero Streams' which automatically ignores all known streams (such as Zone.Identifier) and streams with zero size, thus greatly reducing time and effort involved in manual analysis.

  • Advanced stream file type detection which analyzes internal content of file to detect the real file type rather than just going by the file extension. Here is the list of some of the major file type categories detected by StreamArmor

    • Executable File Type (EXE, DLL, SYS, COM, MSI, CLASS)
    • Archive File Type (ZIP, RAR, TAR, GZ, COM)
    • Audio File Type (MP3, WAV, RA, RM, WMA, M3U)
    • Video File Type (WMV, AVI, MPEG, MP4, SWF, DIVX, FLV, DAT, VOB, MOV)
    • Database Type (MS ACCESS)
    • Document Type (PDF, XML, DOC, RTF, All MS Office old & new formats)

    [*]Sophisticated 'Auto Threat Analysis' based on heuristic technology for identifying anomaly in the discovered streams based on the characteristics and patterns.

    [*]'Online Threat Verification' to check for presence of Virus or Rootkit in the suspicious stream using any of the following prominent online websites.

    [*]Representation of streams using color pattern based on threat level makes it easy and fast for human eye to distinguish between suspicious streams from normal ones.

    [*]Parallel analysis of discovered streams during the scanning process, allows user to start with analysis immediately without waiting for entire scanning operation to be completed.

    [*]View the entire content of selected stream using the configured third party application. In fact user can configure different applications for normal & executable stream file.

    [*]Save the selected stream file content to a disk, or USB drive or DVD for further analysis.

    [*]Delete the selected alternate data stream from its base file or folder.

    [*]Execute/Run the selected executable stream file for analyzing its malicious nature in virtual environments such as VMWare.

    [*]Dynamic performance tuning mechanism by adjusting the ADS scan thread count [only for advanced users].

    [*]Sort feature to arrange the scanned streams based on its name/threat level/content type/size.

    [*]Export the entire list of discovered streams to a disk file in HTML format for offline analysis.

StreamArmor Screenshots

Here are the screenshots of StreamArmor showcasing its unique and unparalleled features... Screenshot 1: StreamArmor detecting Rootkits such as HackerDefender, Agent.X, Vanquish etc in addition to other hidden streams.

streamarmor_scanning_screenshot1.jpg

Screenshot 2: StreamArmor showing all the discovered streams using specific color pattern based on their respective threat levels.

streamarmor_theatlevels_screenshot2.jpg

Screenshot 3: StreamArmor displaying the snapshot view of the selected Rootkit stream file which clearly shows that its a executable file (starting with "MZ").

streamarmor_snapshotview_screenshot3.jpg

Screenshot 4 : Online threat verification of uncovered 'HackerDefender' Rootkit stream file using VirusTotal.com.

streamarmor_virustotal_screenshot4.jpg

Screenshot 5: Online threat verification of uncovered 'HackerDefender' Rootkit stream file using ThreatExpert.com.

streamarmor_threatexpert_screenshot5.jpg

Screenshot 6 : 'Scan Settings' of StreamArmor showing the default configuration.

streamarmor_snansettings_screenshot6.jpg

Screenshot 7 : General configuration dialog of StreamArmor that allows user to fine tune various options as per the needs.

streamarmor_options_screenshot7.jpg

Screenshot 8 : Exported stream scan report in HTML format by Stream Armor showing scan summary along with detailed threat report.

streamarmor_export_screenshot8.jpg

Acknowledgement

Thanks to Manojna, Raghuveer, EvilFingers for their valuable inputs in making of this tool. Version History

Version 1.0: 27th Mar 2010 First public release of StreamArmor Download StreamArmor

StreamArmor is developed by me for RootkitAnalytics. However due to legal bindings, I cannot host it on this website. Hence please follow the below link to download it from RootkitAnalytics. download.png Download StreamArmor 1.0 from RootkitAnalytics.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...