Alternate Data Stream

A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides a method of hiding data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer.

ADS usage is pretty easy, for instance: the command
“type myrootkit.exe > c:\windows\system32\notepad.exe:myrootkit.exe”
will fork the common windows Notepad program with an ADS “myrootkit.exe.”

Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl, for example:
"start c:\windows\system32\notepad.exe:myrootkit.exe” will launch myrootkit.exe but the process shown on taskmanager is notepad.exe

But how can I detect ADS ? The following tools are able to find them..
CrucialADS : http://www.crucialsecurity.com/
Streams.exe : http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams
Sfind.exe : http://www.foundstone.com
Lads.exe : http://www.heysoft.de/Frames/f_sw_la_en.htm


More details about ADS are available on: MS Site and also here.
Tags:

About author

Vittorio Pavesi

1 comments

  1. Anonymous
    12:10 PM

    Excellent Article.

Post a Comment