Many of our readers have probably heard of Alternate Data Streams (ADS) on NTFS. They're not that well documented and there are only a few tools that can actually handle them. Lately we've been looking at variants of the Mailbot family that use hidden streams to hide themselves.
Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one.
We've just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.
As you can see from the strings inside the malware, Mailbot.AZ also attempts to detect and avoid some of the more popular rootkit detectors:
What about removal? Removing a hidden data stream, especially one attached to a Windows system directory, is quite tricky. Since the rootkit is also active in Safe Mode, the easiest solution is to reboot to Windows Recovery Console and write out the data stream from there. You can do this by copying a suitable file on top of the stream ("copy c:\windows\SomeNonExecutableFile c:\windows\system32:18467"). The copy operation won't succeed, but it will clear out the stream.