Full Disclosure mailing list archives
RE: [inbox] Re: Windows covert channel
From: "Maynard, David C" <david.c.maynard () xo com>
Date: Mon, 20 Oct 2003 12:47:11 -0400
I believe you are refering to editing a file and saving with a :hidden Say you have a file test 4k you can open the that file with lets say test:hidden and add as much info as you want and the orignial file size never changes and test:hidden it not listed in file system but is treated as a seprate file when edited. You have to know the hidden info is attached to the test file to detect the info. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Curt Purdy Sent: Monday, October 20, 2003 9:49 AM To: 'jazper'; full-disclosure () lists netsys com Subject: RE: [inbox] Re: [Full-disclosure] Windows covert channel
You are probably thinking of ADS(Alternate Data Streams). jazperI seem to remember in the dim reaches of my memory a covertchannel inthe Windows file system where you could paste one file atthe end ofanother without it being detectible when you edited theorginal file.
It may be that he is referring to an exe packer as used to attach a trojan to a legitimate exe aka whackamole. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: Windows covert channel Maynard, David C (Oct 20)
- <Possible follow-ups>
- FW: [inbox] Re: Windows covert channel Henri123-Netzero (Oct 20)