Alternate Data Stream = (ADS)

 

 

Greeting’s my fellow humans beings my cyber name is ragh= ag and today I will tell you something (actually a lot) about ADS… no no I wouldn’t tell anything about Britney Spears promoting a cola company. It’s something different ADS don’t mean advertisement it mean Alternate Data Stream which is a feature in Windows NT file system named NT= FS (New Technology File System). Let me explain the origin of ADS in Windows a= s a story.

 

Once upon a time when the politicians were honest and software companies shipped software with less bugs, a child was born, his parent com= pany named him Windows NT but whenever the chi= ld was out to play in software parks he found it difficult to play with other chil= dren like Mac cause apple used a language call= ed Macintosh Hierarchical File System (HFS) and Windows NT used NTFS so they c= ouldn’t communicate properly, so Windows parent gave their son some special feature called Additional Data Stream so that it exchange information with his frie= nd Mac….

 

Some of us who have used both Macintosh and Windows as OSs might have come across a strange thing that unlik= e in Windows in MacOS files don’t generally extension’s like exe, doc, fla, txt and o= thers but still the operating system is able to associate file. Tis is basically due to the fact that Macintosh files have two “forksR= 21;. The resource fork, which contains this information, and the data fork, which contains the executable code itself. Now more often than not there is a communication between Windows box and a Mac now how the file association ca= n be maintained and recognized was a bit problem. When Windows NT 3.1 came out, = it had compatibility support for AppleTalk, meaning that NT and MacOS users co= uld easily exchange data. This caused a problem however, since there was no way= to copy the resource fork and the data fork of a file directly onto the NT file system. Doing so would only copy the data fork, since the resource fork wasn’t physically in the file, but in a separate stream. (In other wo= rds, the data and resource fork don’t occupy the same cluster on disk, or = are part of the same contiguous file). Microsoft then had to implement NTFS ADS= , which meant that NT would see the resource fork as another stream, and would be a= ble to copy it along with the file onto a Macintosh computer.

 

This was a bit about history of ADS and it’s purpose as = was in the Microsoft when it created ADS. But in time things changed and ADS became more feature rich and so the problem associate with it… So u want to = know what’s wrong with ADS? Here you go…

 

The current problem with streams is that many Windows NT users= (including administrators) are not aware that streams exist and even if they know of t= hem have no simply method of detecting them. Microsoft does not provide tools f= or reporting what streams exist!

 

E= xplaining you ADS again

<= o:p> 

NTFS supports multiple data streams, where the stream name identifies a new data attribute on the file. A handle can be opened to each data stream. A data stream, then, is a unique set of file attributes. Strea= ms have separate opportunistic locks, file locks and sizes, but common permissions.

 

This feature enables you to manage data as a single unit. The following is an example of an alternate stream:

 

myfi= le.dat:stream2

 

A library of files might exist where the files are defined as alternate streams, as in the following example:

 

         library:file1

        =         :file2

        =         :file3

 

A file can be associated with more than one application at a t= ime, such as Microsoft® Word and Microsoft® WordPad. For instance, a file structure like the following illustrates file association, but not multiple files:

 

          program: source_file

        =    := doc_file

        =    :object_file

        =    :executable_file

 

You can have a file with 1 byte in the official main data stre= am and some hundred MB in one or more alternate data streams. What do you expect t= he DIR command, file manager or explorer to show as the size of this file? It is 1 byte! That means a freak can hide quite a lot of data in Alternate Data Str= eams and nobody will know.

 

So What’s Wrong With ADS?

 

Well anyone who has access to your computer can play a dirty t= rick like the one I am going to mention. Well, he can create a text file, lets s= ay 1 byte file, and can add a 4 GB data to it in alternate stream so your 4 GB s= pace will be eaten up and what happens when you check that innocent text file th= e Windows Explorer will show it’s size only as 1 byte and will give you no information about 4 GB data associated with that file in Alternate Data Str= eam. Also the DIR command will fail to give you any information about alternate = data stream.

 

One of the worst things that can be done is to attach a binary= file or exe to a text file and every time that text file is run the exe will also run without knowledge. And trust me, CTRL+ALT+DEL will also be helpless in detecting the exe and to tell you a virus writer could possibly attach a vi= rus or Trojan in your explorer.exe as Alternate Stream, which means the virus/T= rojan will run every time your PC starts without your antivirus getting any air of it.

 

T= he information in this article applies to:

Microsoft Win32 Application Programming Interface (API), when used with:

        =             &nb= sp;      

W= hat are Antivirus Companies Doing?

 

        &= nbsp; Trust me your current antivirus is absolutely helpless in detecting a virus or Tr= ojan attached to any file on your system. Every antivirus only checks the main stream for virus/Trojan and their signature, and they overlook the ADS. Thi= s is something that makes virus writer a happy person. But Kaspersky Labs, an AV Vendor, has decided to put out a dire warning about ADS based on their alle= ged discovery of a virus which uses ADS. They say it hasn't been seen in the wi= ld, nor have they had any reports of any infections, yet they've done an extens= ive press release about it claiming that it "represents a new generation of malicious programs for Windows 2000".

 

        &= nbsp; "By default, antivirus programs check only the main data stream. There will be = no problems protecting users from this particular virus," -Eugene Kaspersky continues- "however, the viruses c= an move to Additional Data Streams. In this case, many antivirus products will become obsolete, and their vendors will be forced to urgently redesign their antivirus engines."

 

        &= nbsp; So your current antivirus shall be of little help in case a virus is exploiting the ADS feature so you better keep in touch with your antivirus vendor and = find out if the gave the necessary update for this problem. It seems so far only Kaspersky Labs are providing antiviral solution to this problem.

 =

H= ow do I ADD a file to Alternate data Stream ?

 

H= ere are few examples:

  &nbs= p;       The syntax used to create ADSs is relatively simple and straightforward. To cre= ate an ADS associated with the file "thefile.txt", simply separate the default stream name from the ADS name with a colon.

= c:\ads>echo This is an ADS > thefile.txt:hidden

  &nbs= p;       Additionally, an ADS can be created using the contents of another file.=

= c:\ads>echo This is a test file > test.txt

= c:\ads>type test.txt > thefile.txt:hidden

  &nbs= p;       The ADS can then be verified using Notepad.

= c:\ads>notepad thefile.txt:hidden

  &nbs= p;       However, none of the variations of the DIR command nor any available switches or settings for Windows Explorer will detect the presence of these newly creat= ed ADS.

  &nbs= p;       Additionally, ADSs can be created and associated with the dir= ectory listing, rather than a file. This peculiarity will take on some significance later in this article, but for now it’s sufficient to describe how su= ch ADSs can be created.

= c:\ads>echo This ADS is tied to the directory listing > :hidden

  &nbs= p;       ADSs of this type can be created with Notepad and the ‘type’ command, as well.

  &nbs= p;       The content of ADSs should not be considered limited to simply text data. Any stream of binary information can constitute a file, and the ADS is nothing = more than a file. Executables can be hidden in ADS quite easily.

= c:\ads>type c:\winnt\notepad.exe > myfile.txt:np.exe

= c:\ads>type c:\winnt\system32\sol.exe > myfile.txt:sol2.exe

  &nbs= p;       Similarly, image files, audio files or any other stream of data can be hidden in ADS.<= o:p>

  &nbs= p;       Finally, Windows Explorer provides a means by which very specific ADSs can be created (RUSS00). If the user opens Explorer and chooses a file, and then right-cli= cks on that file, a drop-down menu appears. Choosing "Properties" will open a Properties dialogue, and choosing the Summary tab will reveal fields= in which the user can insert information. ADSs have no attributes of their own. The access rights assigned to the default unnamed stream control access for creating or viewing ADSs. Quite simply, if a user cannot write to a file, t= hat user cannot add an ADS to that file. Further, while Windows File Protection prevents the replacement of protected system files, it does not prevent a u= ser with the appropriate permissions from adding ADSs to those system files. The System File Checker (sfc.exe) will verify that protected system files have = not been overwritten, but will not detect ADSs.

  &nbs= p;       Users and administrators should also be aware of KB article = Q319300, which states that the Windows 2000 Content Indexing Server adds Alternate D= ata Streams named "?Q30lsldxJoudresxAssqpcawXc" to image files on NTFS volume= s.  These ADSs contain thumbnails of the images.

  &nbs=
p;        

Other Problems with ADS and some Good News <= /u>

 <= /span>

        &=
nbsp;   In the NTFS file system a facility exists to bind =
additional data to a file or directory, called an alternate data stream [ur=
l1][url2]. These Alternate Data Streams cannot be be removed, unless the parent file or directory is de=
stroyed. Unfortunately most file wiping utilities only deal with the primar=
y data stream and do not wipe the alternate data streams, thus leaving data=
 intact. <=
span
lang=3DEN-US style=3D'font-size:14.0pt;mso-bidi-font-size:10.0pt;font-famil=
y:"Times New Roman"'>If data is stored in an alternate data stream attached=
 to a file (such as the thumbnail of an image) or directory when this file =
or directory is wiped the information contained within the alternate data s=
tream will be left intact on the hard drive. No warning is given to the use=
r at all by Windows or the wiping programs. For example if you use Windows =
Explorer (the default file browser in Windows) and have thumbnails of pictu=
res enabled (the default setting), then the thumbnail of the thumbnail imag=
e, once created (i.e. once the directory is viewed in Explorer) will not be=
 deleted until you delete the file and wipe all free space. Alternate Data =
Streams also provide an ideal location to keep attack tools, snippets of vi=
rus code and so forth for attackers and viruses. In fact, some virus scanne=
rs do not scan Alternate Data Streams unless specifically configured to do =
so (often labeled as "scan all files" or similar). 
 
 =
;           The go=
od news is that floppy disks and most other removable media are not formatt=
ed as NTFS, thus it is unlikely that copied files will contain the Alternat=
e Data Streams. As well, no all compression programs, such as WinZip, copy =
the Alternate Data Streams; while others such as WinRAR do copy the Alternate Data Streams. While it i=
s unlikely that files with Alternate Data Streams will have made it to othe=
r systems with their Alternate Data Streams intact it is possible, and any =
systems that have had sensitive data copied or moved to them should immedia=
tely have their free space wiped in order to ensure Alternate Data Streams =
containing sensitive information are still present. 
 
Details=
 
 =
;           Create=
 a file with an Alternate Data Stream:
 

echo "this is a text file" > C:\file.txt

echo "this is the alternate data stream lkajhkl2" &= gt;

C:\file.txt: alternate-data-stream

 <=
/span>
 =
;           If you=
 use forensics software to examine the harddrive you will find the string o=
f text "this is the alternate data stream lkajhkl2" present on th=
e drive. 
 
 =
;           Now us=
ing the file wiper of your choice (BCWipe, etc.) choose the file C:\file.txt and wipe it=
. Use any many passes as you want. 
 
 =
;           Now ex=
amine the drive for the string "this is the alternate data stream lkaj=
hkl2". You should be able to find it. To do this using Linux simply cr=
eate an image file of the drive and examine it using “grep” or “strings”:
 

dd if=3D/dev/hdb1 of=3Dwindows-disk.img

grep "this is the alternate data stream lkajhkl2" windows-disk.img

 <=
/span>
or
 

strings windows-disk.img > win= dows-disk.strings

grep "this is the alternate data stream lkajhkl2" windows-disk.strings

 <=
/span>
 =
;           As you=
 will quickly discover the data is easily found. 
 
 =
;           Altern=
ate Data Streams are only available on NTFS file systems, making home users=
 with older systems (Windows 95, Windows 98, Windows ME) immune to this pro=
blem. But newer systems based on WindowsXP are capable of using NTFS, thus =
potentially exposing customers to risk. NTFS is also available on most corp=
orate systems such as Windows NT, Windows 2000 and Windows XP. <=
/span>
 
 =
;           Anothe=
r "feature" of Alternate Data Streams is that they cannot be dele=
ted. If you have an Alternate Data Stream attached to a file you cannot del=
ete it, you can write other data to the stream, however you cannot reliably=
 delete it. 
 
 =
;           To ove=
rwrite an Alternate Data Stream simply place more data into it, for example=
:
 
echo "this will overwrite existing data in the stream&qu=
ot; > 
C:\file.txt:alternate-data-stream
 
or
 
type notepad.exe > C:\file.txt:alternate-data-stream ***
 

Is there any way I can detect ADS ?

        &= nbsp;   Yes. Now there are ways in which you can detect ADS. A list of programs have bee= n mentioned below which shall help you detecting the on your computer, though Microsoft provides no means to detect them.

1.     Lads.exe from www.heysoft.de

2.     JD Glaser's command line ADS finder, SFIND (Contained in forensic toolkit) http://www.ntobjectives.c= om/forensic.htm

3.     MARCH Information Systems has developed a command line utility which solves the problem of hidden data by checking a machine for the existence of non-defau= lt streams (a 'data' and 'security descriptor' stream exists on every NTFS file and directory).  The utility searches an NTFS disc locating and reporting the size and, more importantly, the name of every Alternate Data Stream detected.  If desired it will even report the= sizes of the standard streams. http://www.mar= ch.co.uk.       =

    

     Now people with Window XP and having FAT= 32 or higher as file system don’t need to worry because ADS work only in NTFS file system.