Alternate Data Streams (ADS)

With the introduction of NTFS file system in Windows NT, Microsoft introduced new concept of having multiple streams into single file known as Alternate Data Streams (ADS). In this blog i will discuss some advantages and disadvantages of ADS.
Whenever we perform any operations on any file like – reading, writing, editing etc, we did it on the main stream of the file. This alternate data stream can be of binary or ASCII data. We can attach the streams to any file including executables and folders.

The biggest advantage of the ADS is its by default invisibility to the file handling utilities provided by Microsoft Windows like – File explorer, dir command etc. Unlike staganography, adding alternate stream to a file does not affect its original size that makes it almost impossible to detect.

ADS Capability was originally introduced to for compatibility with the Hierarchical File System (HFS) where data sometimes gets forked into separate resources. ADS are used by many legitimate windows programs to store file information such as attributes and temporary storage.
Virus writers can take advantage of these stealth functionalities provided by ADS to hide malicious data in the alternate stream attached with legitimate files and easily defeat normal user and most of the antivirus present.

How to create an ADS:
===============
Following command will create an hiddenFile.txt as ADS with explorer.exe file present in %SystemRoot%
c:\>echo “This is confidential data.” >c:\windows\explorer.exe:hiddenFile.txt

Following command will allow you to read the data present in the ADS. If you check the size of explorer.exe after attaching the alternate stream, will be exact same.

c:\>type c:\windows\explorer.exe:hiddenFile.txt
This is confidential data.
c:\>

Attaching executable as an ADS:
=======================
You can even attach executables using ADS and believe me this is where ADS is boon for virus writters. Virus writters can attach malicious executable with the legitimate one and make it execute at every boot time.

C:\>copy %SystemRoot%\system32\calc.exe c:\blog\ads\
C:\>type maliciousFile.exe > c:\blog\ads\calc.exe:newCalc.exe
C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v newLiveUpdate /t REG_SZ /d C:\blog\ads\calc.exe:newCalc.exe

Once these three commands are executed on the victim machine, on every boot program newCalc.exe will automatically gets executed.
To test it, you will need to reboot your system once.

Above things are very simple and does not require any skills, this is what makes it very dangerous. Virus writer can hide most of its virus code into ADS and to keep a small executable that will extract the virus.
Whatever we discuss till now can be considered as an Ugly side(for us) of ADS. Now lets focus on about the removal of ADS from the infected systems.

How to detect ADS:
==============
Unfortunately, there are no windows tool which will scan the file and let you know about the alternate stream attached with the file.
There is one third party utility called lads.exe which you can use to manually scan the file for the presence of the ADS. You can download this tool from http://www.heysoft.de

Manually scan following REGISTRY location using regedit tool for the presence of string containing “:” e.g. c:\windows\exeplorer.exe:virus.exe

Always be suspecious for the entries in the above locations and delete unwanted entries and like one given in above example.

Lets look at the good side of the ADS. We can use these invisibility feature of ADS for many different purposes.
1) We can attach confidential files or files which we don’t want to get deleted accidently to the system files which usually nobody deletes. This is useful especially when system us shared between multiple users.
2) We can store passwords, pin codes in ADS.
3) You can use freeware “Xidie Security Suite” to keep your private data hidden usin ADS. You can download this tool from http://www.xidie.ro

How to Delete already created ADS:
========================
As we have already seen, ADS is only supported on NTFS file system. So Moving ADS file on drive fomatted with FAT will remove the ADS present on the moved file.
On the NTFS file system, go to start->run and type “notepad <path of ADS>

e.g notepad c:\blog\ads\test.txt:hiddenFile.txt
and delete the complete content of the file and save it.

As of now there are very few viruses exists which exploits this ADS functionality but don’t get surprised if you see more of those in near future as most of the current anti-viruses are not capable of detecting virus hidden inside ADS.

Advertisements

About this entry