home >> tools >> streamarmor

StreamArmor v1

TOP

StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.

StreamArmor has built-in advanced file type detection mechanism which examines the content of file to accurately detect the file type of stream. This makes it great tool in forensic analysis in uncovering hidden documents/images/audio/video/database/archive files within the alternate data streams. StreamArmor is the standalone, portable application which does not require any installation. It can be copied to any place in the system and executed directly.

What is an Alternate Data Stream (ADS)?

TOP

Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools. It is used legitimately by Windows and other applications to store additional information (for example summary information) for the file. Even 'Internet Explorer' adds the stream named 'Zone.Identifier' to every file downloaded from the internet.

Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.

In short, ADS provides easy way to store the malicious content covertly as well as execute it directly without making even a bit of noise. Only sophisticated tools such as StreamArmor has the ability to discover and destroy these hidden malicious streams. For complete details on 'Alternate Data Streams' please refer to below article: 'Exploring Alternate Data Streams'.

Feature Highlights of StreamArmor

TOP

Here are the highlights of prominent and unique features of StreamArmor which makes it stand apart from other existing tools in the market.

  • Fast, multi threaded ADS scanner to quickly and recursively scan entire computer or drive or just a folder.

  • 'Snapshot View' for quick identification of selected stream and faster manual analysis.

  • Option to 'Ignore Known and Zero Streams' which automatically ignores all known streams (such as Zone.Identifier) and streams with zero size, thus greatly reducing time and effort involved in manual analysis.

  • Advanced stream file type detection which analyzes internal content of file to detect the real file type rather than just going by the file extension. Here is the list of some of the major file type categories detected by StreamArmor
    • + Executable File Type (EXE, DLL, SYS, COM, MSI, CLASS)
    + Archive File Type (ZIP, RAR, TAR, GZ, COM)
    + Audio File Type (MP3, WAV, RA, RM, WMA, M3U)
    + Video File Type (WMV, AVI, MPEG, MP4, SWF, DIVX, FLV, DAT, VOB, MOV)
    + Database Type (MS ACCESS)
    + Document Type (PDF, XML, DOC, RTF, All MS Office old & new formats)


  • Sophisticated 'Auto Threat Analysis' based on heuristic technology for identifying anomaly in the discovered streams based on the characteristics and patterns.

  • 'Online Threat Verification' to check for presence of Virus or Rootkit in the suspicious stream using any of the following prominent online websites.
    • + VirusTotal (www.VirusTotal.com)
    + ThreatExpert (www.ThreatExpert.com)
    + MalwareHash (www.MalwareHash.com)


  • Representation of streams using color pattern based on threat level makes it easy and fast for human eye to distinguish between suspicious streams from normal ones.

  • Parallel analysis of discovered streams during the scanning process, allows user to start with analysis immediately without waiting for entire scanning operation to be completed.

  • View the entire content of selected stream using the configured third party application. In fact user can configure different applications for normal & executable stream file.

  • Save the selected stream file content to a disk, or USB drive or DVD for further analysis.

  • Delete the selected alternate data stream from its base file or folder.

  • Execute/Run the selected executable stream file for analyzing its malicious nature in virtual environments such as VMWare.

  • Dynamic performance tuning mechanism by adjusting the ADS scan thread count [only for advanced users].

  • Sort feature to arrange the scanned streams based on its name/threat level/content type/size.

  • Export the entire list of discovered streams to a disk file in HTML format for offline analysis.


StreamArmor v1 in Action

TOP

Here are the screenshots of StreamArmor showcasing its unique and unparalleled features...

Screenshot 1: StreamArmor detecting Rootkits such as HackerDefender, Agent.X, Vanquish etc in addition to other hidden streams.


*To zoom in - click the image*

Screenshot 2: StreamArmor showing all the discovered streams using specific color pattern based on their respective threat levels.


*To zoom in - click the image*

Screenshot 3: StreamArmor displaying the snapshot view of the selected Rootkit stream file which clearly shows that its a executable file (starting with "MZ").


*To zoom in - click the image*

Screenshot 4: Online threat verification of uncovered 'HackerDefender' Rootkit stream file using VirusTotal.com.


*To zoom in - click the image*

Screenshot 5: Online threat verification of uncovered 'HackerDefender' Rootkit stream file using ThreatExpert.com.


*To zoom in - click the image*

Screenshot 6: 'Scan Settings' of StreamArmor showing the default configuration.


*To zoom in - click the image*

Screenshot 7: General configuration dialog of StreamArmor that allows user to fine tune various options as per the needs.


*To zoom in - click the image*

Screenshot 8: Exported stream scan report in HTML format by Stream Armor showing scan summary along with detailed threat report.


*To zoom in - click the image*

Version History

TOP

Version 1.0 - 27th Mar 2010:
Released the first public version of StreamArmor.

Compliance Mandates

TOP

Forensics:
    PCI DSS 10.2, 12.9, A.1.4*,
    SOX DS7, HIPAA 164.308(a)(1) and (a)(6),
    FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
*Shared Hosting Providers Only

Source :    Security-Database

Download StreamArmor v1

TOP

License:
Freeware.

Platform:
Windows XP, 2K3, Vista, Longhorn and Windows 7 (both 32 & 64 bit versions)
On 64 bit platform, only 32 bit processes are supported.

Hashes For StreamArmor_v1.zip :
MD5 Hash : d283e449332dd738f96bc60344688341
SHA1 Hash: 3bfdd9732efae250ed008f0b679bca45e148840b


Click the following to download:

Download StreamArmor v1.0

Awards

TOP

Best Software 4 Download Best Vista Downloads Gear Download Best Freeware Download SoftSea Downloads Windows 7 Download Compatibility Windows 7 Download Award

EvilFingers Arsenal




Blogs

Update on Next Version of SpyDLLRemover
Nagareshwar Talekar
Mon, 16 Aug 2010 13:28:57 +0000

Here is the brief update on upcoming release of SpyDLLRemover.  Most of the major work highlighted in our previous blog post has been completed and only some final art work is left out. Below is the fresh glimpse of new banner which is going to replace old one.  Just being the old,  other reason for change [...]


Releasing Soon: New Version of SpyDLLRemover
Nagareshwar Talekar
Mon, 02 Aug 2010 08:16:44 +0000

We are vigorously working on next major version of SpyDLLRemover which will bring out the best changes that our users have been looking for since the beginning. We have received lot of feedbacks directly as well as through various forums mentioning about improvements in SpyDLLRemover. One of the most asked enhancement was the ‘Re-sizable Window feature’ [...]


Rootkit Analytics – The New Look
Nagareshwar Talekar
Mon, 28 Jun 2010 02:01:57 +0000

Rootkit Analytics has the new look and feel and not just that, we are now working on more stuff that would make it user friendly. We aren’t going to list each minute tweak, but there is a lot more to come. Hence, we would complete it all and keep you posted on any major update. [...]


StreamArmor – New Tool to Scan & Sweep Malicious Streams
Nagareshwar Talekar
Sat, 27 Mar 2010 15:59:08 +0000

StreamArmor (previously HiddenADSExplorer) is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It’s advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. It comes with fast multi threaded [...]


Now Post Your Rootkit Queries on SpywareAnalytics Forum
Nagareshwar Talekar
Tue, 23 Mar 2010 05:06:19 +0000

Spyware Analytics Forum, the division of EvilFingers empire is released to public now. The main aim of this forum is to provide an interface for home & enterprise users to interact with security professionals. Most users do not really get a chance to directly interact with professionals who can really solve their issues. Spyware Analytics is [...]


Testimonials: Rootkit Analytics Tools
Nagareshwar Talekar
Sun, 07 Mar 2010 23:19:04 +0000

Rootkit Analytics has come up with a “Testimonials” section. This can be seen in our web portal, www.RootkitAnalytics.com: [Click on the above image to enlarge view] We welcome all our users to submit testimonials, as this would increase your visibility in our community and we provide Extended FREE Support* to these users. Enterprise Users: If you are using our [...]


HiddenADSExplorer – Update from Research Center
Nagareshwar Talekar
Mon, 01 Mar 2010 20:29:23 +0000

As our next tool, HiddenADSExplorer is moving towards the final beta stage, we bring you the latest update straight from our research center. HiddenADSExplorer is the first ever tool to not only scan for hidden streams but to explore, analyze and quickly detect hidden malicious content within the streams using the advanced analysis technique.  It is [...]


Ridgewood Cable & Rootkit Analytics – Extends Support
Nagareshwar Talekar
Mon, 22 Feb 2010 01:16:54 +0000

Hello Folks, Thank you for helping us by reading our stuff & using our tools. We are proud to say that we are extending our support to our first ISP Customer – Ridgewood Cable. Thanks to Joshua A. Coody for making this happen. We provide free support: to upgrade our tools to what you would like, if it [...]


Openings for Rootkit Analysts
Nagareshwar Talekar
Wed, 10 Feb 2010 19:34:09 +0000

Rootkit Analytics is seeking for Rootkit Analysts [volunteering] with varying skill-sets and at different levels to join our team.  As a Rootkit Analyst, you will be involved with: Detection, analysis and documentation of rootkits. What would a Rootkit Analyst do? A rootkit analyst would work on collection, research and analysis of rootkit samples. The analyst would be categorizing [...]


New SpyDLLRemover to Remove DLL from System Process
Nagareshwar Talekar
Tue, 09 Feb 2010 04:28:20 +0000

The newer version of SpyDLLRemover v3.2 now support removal malicious DLL from system processes on Vista/Win7 platforms. Starting with Vista, Windows has introduced the session separation feature which prevents processes in one session interacting with process in another session. Normally all system processes including services live in session 0. All user session starts with session 1. [...]

Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Spy DLL Remover: Were you looking for a tool to detect userland rootkits in your Windows box?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0 dwtf is a DLL copying engine ... [read more]

StreamArmor StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS)...[read more]

Exploring ADS Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Spy DLL Remover61314
Stream Armor8531
Elfstat1680
KsiD1127
dwtf1033
SHC862

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets


@EvilFingers Anytime! Have a good week!

Thanks to @EvilFingers for the Spark & @hdmoore for paving the path with his auditkit for DllHijackAuditor http://bit.ly/a3gW1X

Thanks to @EvilFingers for the Spark & @hdmoore for paving the path with his auditkit for DllHijackAuditor http://bit.ly/a3gW1X

Thanks to @EvilFingers for the Spark & @hdmoore for paving the path with his auditkit for DllHijackAuditor http://bit.ly/a3gW1X