[r3shl4k1sh]

I would like to know which malware exploit the NTFS in order to hide (itself or generic data).

Currently i know about:

• ZeroAccess.C that exploit the Extended Attributes (EA) feature in the NTFS in order to hide.
• Backdoor.Tranwos (WinNT/Alureon (7gen)) Abuses EFS to Prevent Forensic Analysis

Do you know any other malware that use the NTFS in order to hide (itself or general data)?
Thanks.

[rinn]

Hi,

Rustock/Linkoptimizer

Best Regards
-rin

[SomeUnusedName]

I think I have seen Poison Ivy variants storing data in alternate data streams, a quick Google seems to confirm that:

http://www.f-secure.com/v-descs/backdoo ... nivy.shtml

Some variants of Poison Ivy are capable of copying themselves into an Alternate Data Stream.

[Horgh]

If I remind good, cidox too.

[EP_X0FF]

There are not so many ways to do that: ADS, EFS, security ACL (most popular feature as it very easy to implement, used by many different trojans), other specific stuff like reparse points. From history perspective it was:

Rustock.B with it body in ADS of system32 folder
LinkOptimizer IIRC using EFS
Conficker abusing file ACL
Sirefef from the beginning till today (reparse points, self-formatted NTFS volume, security attributes, data steams)

everything else is not abusing NTFS but disk drivers stack (hooks, filters, binary patching) or Windows boot loading process (Cidox).