Alternate Data Stream =
(ADS)
Greeting’s my fellow humans beings my cyber name is ragh= ag and today I will tell you something (actually a lot) about ADS… no no I wouldn’t tell anything about Britney Spears promoting a cola company. It’s something different ADS don’t mean advertisement it mean Alternate Data Stream which is a feature in Windows NT file system named NT= FS (New Technology File System). Let me explain the origin of ADS in Windows a= s a story.
Once upon a time when the politicians were honest and software companies shipped software with less bugs, a child was born, his parent com= pany named him Windows NT but whenever the chi= ld was out to play in software parks he found it difficult to play with other chil= dren like Mac cause apple used a language call= ed Macintosh Hierarchical File System (HFS) and Windows NT used NTFS so they c= ouldn’t communicate properly, so Windows parent gave their son some special feature called Additional Data Stream so that it exchange information with his frie= nd Mac….
Some of us who have used both Macintosh and Windows as OSs might have come across a strange thing that unlik= e in Windows in MacOS files don’t generally extension’s like exe, doc, fla, txt and o= thers but still the operating system is able to associate file. Tis is basically due to the fact that Macintosh files have two “forksR= 21;. The resource fork, which contains this information, and the data fork, which contains the executable code itself. Now more often than not there is a communication between Windows box and a Mac now how the file association ca= n be maintained and recognized was a bit problem. When Windows NT 3.1 came out, = it had compatibility support for AppleTalk, meaning that NT and MacOS users co= uld easily exchange data. This caused a problem however, since there was no way= to copy the resource fork and the data fork of a file directly onto the NT file system. Doing so would only copy the data fork, since the resource fork wasn’t physically in the file, but in a separate stream. (In other wo= rds, the data and resource fork don’t occupy the same cluster on disk, or = are part of the same contiguous file). Microsoft then had to implement NTFS ADS= , which meant that NT would see the resource fork as another stream, and would be a= ble to copy it along with the file onto a Macintosh computer.
This was a bit about history of ADS and it’s purpose as = was in the Microsoft when it created ADS. But in time things changed and ADS became more feature rich and so the problem associate with it… So u want to = know what’s wrong with ADS? Here you go…
The current problem with streams is that many Windows NT users= (including administrators) are not aware that streams exist and even if they know of t= hem have no simply method of detecting them. Microsoft does not provide tools f= or reporting what streams exist!
E=
xplaining
you ADS again
<= o:p>
NTFS supports multiple data streams, where the stream name identifies a new data attribute on the file. A handle can be opened to each data stream. A data stream, then, is a unique set of file attributes. Strea= ms have separate opportunistic locks, file locks and sizes, but common permissions.
This feature enables you to manage data as a single unit. The following is an example of an alternate stream:
myfi= le.dat:stream2
A library of files might exist where the files are defined as alternate streams, as in the following example:
library:file1
= :file2
= :file3
A file can be associated with more than one application at a t= ime, such as Microsoft® Word and Microsoft® WordPad. For instance, a file structure like the following illustrates file association, but not multiple files:
program: source_file
= := doc_file
= :object_file
= :executable_file
You can have a file with 1 byte in the official main data stre= am and some hundred MB in one or more alternate data streams. What do you expect t= he DIR command, file manager or explorer to show as the size of this file? It is 1 byte! That means a freak can hide quite a lot of data in Alternate Data Str= eams and nobody will know.
So
What’s Wrong With ADS?
Well anyone who has access to your computer can play a dirty t= rick like the one I am going to mention. Well, he can create a text file, lets s= ay 1 byte file, and can add a 4 GB data to it in alternate stream so your 4 GB s= pace will be eaten up and what happens when you check that innocent text file th= e Windows Explorer will show it’s size only as 1 byte and will give you no information about 4 GB data associated with that file in Alternate Data Str= eam. Also the DIR command will fail to give you any information about alternate = data stream.
One of the worst things that can be done is to attach a binary= file or exe to a text file and every time that text file is run the exe will also run without knowledge. And trust me, CTRL+ALT+DEL will also be helpless in detecting the exe and to tell you a virus writer could possibly attach a vi= rus or Trojan in your explorer.exe as Alternate Stream, which means the virus/T= rojan will run every time your PC starts without your antivirus getting any air of it.
T=
he
information in this article applies to:
Microsoft Win32 Application Programming Interface
(API), when used with:
= &nb= sp;
W=
hat are Antivirus
Companies Doing?
&= nbsp; Trust me your current antivirus is absolutely helpless in detecting a virus or Tr= ojan attached to any file on your system. Every antivirus only checks the main stream for virus/Trojan and their signature, and they overlook the ADS. Thi= s is something that makes virus writer a happy person. But Kaspersky Labs, an AV Vendor, has decided to put out a dire warning about ADS based on their alle= ged discovery of a virus which uses ADS. They say it hasn't been seen in the wi= ld, nor have they had any reports of any infections, yet they've done an extens= ive press release about it claiming that it "represents a new generation of malicious programs for Windows 2000".
&= nbsp; "By default, antivirus programs check only the main data stream. There will be = no problems protecting users from this particular virus," -Eugene Kaspersky continues- "however, the viruses c= an move to Additional Data Streams. In this case, many antivirus products will become obsolete, and their vendors will be forced to urgently redesign their antivirus engines."
&= nbsp; So your current antivirus shall be of little help in case a virus is exploiting the ADS feature so you better keep in touch with your antivirus vendor and = find out if the gave the necessary update for this problem. It seems so far only Kaspersky Labs are providing antiviral solution to this problem.
H= ow do I ADD a file to Alternate data Stream ?
H=
ere are
few examples:
&nbs=
p; The
syntax used to create ADSs is relatively simple and straightforward. To cre=
ate
an ADS associated with the file "thefile.txt", simply separate the
default stream name from the ADS name with a colon.
=
c:\ads>echo
This is an ADS > thefile.txt:hidden
&nbs=
p; Additionally,
an ADS can be created using the contents of another file.
=
c:\ads>echo
This is a test file > test.txt
=
c:\ads>type
test.txt > thefile.txt:hidden
&nbs=
p; The
ADS can then be verified using Notepad.
=
c:\ads>notepad
thefile.txt:hidden
&nbs=
p; However,
none of the variations of the DIR command nor any available switches or
settings for Windows Explorer will detect the presence of these newly creat=
ed
ADS.
&nbs=
p; Additionally,
ADSs can be created and associated with the dir=
ectory
listing, rather than a file. This peculiarity will take on some significance
later in this article, but for now it’s sufficient to describe how su=
ch
ADSs can be created.
=
c:\ads>echo
This ADS is tied to the directory listing > :hidden
&nbs=
p; ADSs of this type can be created with Notepad and the
‘type’ command, as well.
&nbs=
p; The
content of ADSs should not be considered limited to simply text data. Any
stream of binary information can constitute a file, and the ADS is nothing =
more
than a file. Executables can be hidden in ADS quite easily.
=
c:\ads>type
c:\winnt\notepad.exe > myfile.txt:np.exe
=
c:\ads>type
c:\winnt\system32\sol.exe > myfile.txt:sol2.exe
&nbs= p; Similarly, image files, audio files or any other stream of data can be hidden in ADS.<= o:p>
&nbs=
p; Finally,
Windows Explorer provides a means by which very specific ADSs can be created
(RUSS00). If the user opens Explorer and chooses a file, and then right-cli=
cks
on that file, a drop-down menu appears. Choosing "Properties" will
open a Properties dialogue, and choosing the Summary tab will reveal fields=
in
which the user can insert information. ADSs have no attributes of their own.
The access rights assigned to the default unnamed stream control access for
creating or viewing ADSs. Quite simply, if a user cannot write to a file, t=
hat
user cannot add an ADS to that file. Further, while Windows File Protection
prevents the replacement of protected system files, it does not prevent a u=
ser
with the appropriate permissions from adding ADSs to those system files. The
System File Checker (sfc.exe) will verify that protected system files have =
not
been overwritten, but will not detect ADSs.
&nbs=
p; Users
and administrators should also be aware of KB article =
Q319300,
which states that the Windows 2000 Content Indexing Server adds Alternate D=
ata Streams
named "?Q30lsldxJoudresxAssqpcawXc" to image files on NTFS volume=
s.
These ADSs contain thumbnails of the images.
&nbs=
p;
Other Problems with ADS and some Good News
&= nbsp; In the NTFS file system a facility exists to bind = additional data to a file or directory, called an alternate data stream [ur= l1][url2]. These Alternate Data Streams cannot be be removed, unless the parent file or directory is de= stroyed. Unfortunately most file wiping utilities only deal with the primar= y data stream and do not wipe the alternate data streams, thus leaving data= intact. <= span lang=3DEN-US style=3D'font-size:14.0pt;mso-bidi-font-size:10.0pt;font-famil= y:"Times New Roman"'>If data is stored in an alternate data stream attached= to a file (such as the thumbnail of an image) or directory when this file = or directory is wiped the information contained within the alternate data s= tream will be left intact on the hard drive. No warning is given to the use= r at all by Windows or the wiping programs. For example if you use Windows = Explorer (the default file browser in Windows) and have thumbnails of pictu= res enabled (the default setting), then the thumbnail of the thumbnail imag= e, once created (i.e. once the directory is viewed in Explorer) will not be= deleted until you delete the file and wipe all free space. Alternate Data = Streams also provide an ideal location to keep attack tools, snippets of vi= rus code and so forth for attackers and viruses. In fact, some virus scanne= rs do not scan Alternate Data Streams unless specifically configured to do = so (often labeled as "scan all files" or similar).