Summary: Alternate data streams are a little known and little understood feature of NTFS that allows information to be effectively hidden within other files.
What about the threat of alternate data streams on NTFS file systems?
•
That's actually an excerpt from a longer question I got last year that I want to address separately.
Alternate data streams are an very interesting feature of the NTFS file system that not many people know about.
The security threat that the question alludes to is that alternate data streams can allow data to be trivially hidden on an NTFS formatted hard disk in a way that is difficult to detect.
•
First, let's define just what an alternate data stream is.
Think of it as a "file within a file".
To begin with, it's an NTFS-only feature. So if your hard disk is formatted using the FAT file system, then none of this applies to you.
I'll show by example. And unfortunately, for reasons we'll see in a moment, we'll need to do this in a Windows command shell.
First, create a text file with anything in it, using the "echo" command and file redirection:
C:> echo The quick brown fox jumped over the lazy dog. >textfile.txt
As you might expect, that puts the text into the text file "textfile.txt":
C:> type textfile.txt
The quick brown fox jumped over the lazy dog.
C:>
And have a look at the directory listing for the file:
C:> dir textfile.txt
Volume in drive C is LEO
Volume Serial Number is 3007-E4F1
Directory of C:\
06/14/2007 03:35 PM 48 textfile.txt
All is as we would expect.
Now, run this command:
C:> echo Where oh where has my little dog gone? >textfile.txt:hidden
This looks like we're creating a new file called "textfile.txt:hidden", but we're not. We're creating an alternate data stream within the file "textfile.txt" by the name of "hidden".
In fact, we can examine that just like the first:
C:> type textfile.txt:hidden
The filename, directory name, or volume label syntax is incorrect.
C:>
Oh. Apparently we can't do it exactly the same. We can do this, though:
C:> more <textfile.txt:hidden
Where oh where has my little dog gone?
C:>
And the original "default" data stream is still there too:
C:> type textfile.txt
The quick brown fox jumped over the lazy dog.
C:>
And yet, there's only the one file:
C:> dir textfile*
Volume in drive C is LEO
Volume Serial Number is 3007-E4F1
Directory of C:\
06/14/2007 03:39 PM 48 textfile.txt
There are two very interesting things to note about that last directory listing:
-
The size of the file is unchanged. In fact, the size (48) reflects only the size of the default data stream. There could very large alternate data streams attached to the file and you wouldn't see it.
-
The timestamp on the file did change when the alternate data stream was added. But that's the only visible indication that anything happened with the possible exception of the fact that free space on the drive in question did go down.
The alternate "hidden" data stream is just that - very well hidden. You wouldn't know to look for it unless ... well, unless you knew to look for it.
•
The Risk
So that was all an interesting exercise in hiding data, and I'm sure that several folks will now look at hiding sensitive information or their pornography collection in alternate data streams in otherwise innocuous looking files.
But it gets worse.
Let's do this:
c:> type c:\windows\system32\calc.exe >textfile.txt:calc.exe
What this has done is copied the Windows calculator program into an alternate data stream called "calc.exe" inside of "textfile.txt". Once again, aside from it's timestamp changing, "textfile.txt" still looks like a 48 byte text file that contains only one line of text.
And yet, we can now do this:
c:>start c:\textfile.txt:calc.exe
which launches the hidden copy of calc.exe from its alternate data stream inside of "textfile.txt".
Imagine if that weren't calc.exe at all.
Imagine if that were malware.
•
Alternate Data Stream Limitations
If you copy a file with alternate data streams to another NTFS partition, then the streams are retained. However if you copy the file to a FAT or other file system that does not support alternate data streams, the streams will be silently lost in the copy. Only the default stream will be copied.
Since many programs operate very much like a copy operation, it seems to me that it would be very easy to lose your alternate data streams if you operate on a file that has them. For example when I edited the example textfile.txt in a random text editing program, the alternate streams were stripped off when the file was saved.
•
The Real Problem
As we've seen support for alternate data streams is sporadic. I couldn't create one in notepad, for example, but it's easy to do in a command shell. You can't "type" one directly, but an alternate data stream is easily created and viewed when used as the target of input or output redirection. And we've just seen how easy it is to run one using the command prompt "Start" command, but you can't just execute it like a normal program by typing it into the Start menu's Run command.
In fact, alternate data streams are simple to use in programs that support it, but very view actually do directly. More to the point, alternate data streams are almost impossible to detect without third party software. Even worse, they're typically not scanned by anti-virus and anti-spyware packages. As a result, not only could data be very effectively hidden on your machine, that "data" could easily include malware.
Fortunately, to date, I'm not aware of any malware taking advantage of alternate data streams.
•
Solutions?
Alternate Data Streams cannot be turned off.
There are no tools built-in to windows that will let you look for the presence of alternate data streams.
The only solution I'm aware of to date is a third party utility, lads.exe (List Alternate Data Streams). If I run that on the file I've created as my example, I see this:
c:>lads
LADS - Freeware version 4.10
(C) Copyright 1998-2007 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Scanning directory C:\
size ADS in file
---------- ---------------------------------
114688 C:\textfile.txt:calc.exe
41 C:\textfile.txt:hidden
If you like, you can use lads.exe to scan your entire hard drive for files with alternate data streams.
The presence of an alternate data stream does not necessarily indicate a problem. In fact, I found a couple of valid instances on my machine when I scanned. I was surprised, but they were there and they were valid.
•
The Bottom Line: Should You Worry?
No. Not yet anyway.
Alternate data streams have been around for a long time. Their lack of consistent support across applications is probably their undoing for malware creators as well. However since NTFS has become so popular in recent years, it wouldn't surprise me to see malware start to take advantage of alternate data streams as a way to hide themselves, or the data that they may be collecting.
In the mean time, if you're concerned, use the lads.exe utility to scan your system to see if you have any.
And of course, it's a very handy way to hide information on your machine. It's not bullet proof, as we've seen, but it's certainly one way to keep the presence of certain files or data from being immediately obvious to the casual observer.
Related:
-
Ask Leo! - Is there a limit to what a single folder or directory can hold?
-
Ask Leo! - Should I use Windows File Compression?
Article C3057 - June 14, 2007
Is there a reason that alternate data streams exist?
Posted by: Dan Ullman at June 15, 2007 8:51 AM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To be honest, I'm not sure. I've heard tell that they were an attempt to
provide the same functionality as "forks" I think it is on Macintosh systems at
the time. If so, I think it was doomed for backwards-compatibility reasons.
But I'm not totally sure.
And again, once in, it's incredibly difficult to remove a "feature" -- for
backwards compatibility reasons. :-(
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGcryiCMEe9B/8oqERAnLpAKCKLGKUw9xcIAVVyESHm0PiQENK1QCcCsAS
Posted by: Leo A. Notenboom at June 15, 2007 9:21 AMCEZ/ke2Y8mIxskqIC/RV8gY=
=Csa/
-----END PGP SIGNATURE-----
Just downloaded and installed LavaSoft Ad-Aware2007. On the Settings page there is a button for "Scan Alternate Data Streams". When I saw this I had no idea what it was about. It is a nice coincidence your newsletter has an article on Alternate Data Streams. So there is now at least one way to scan for Alternate Data Streams.
Thank you Leo.
Posted by: Ken Crook at June 16, 2007 9:32 PMactually there are malware exploiting ADS, else Ad-Aware and other s/w wouldn't be scanning them
Posted by: George Birbilis at June 17, 2007 2:23 AMHello Leo,
The erasure software programme 'Cyberscrub' provides an option to erase Alternate Data Stream files. CyberScrub warns that it will try to save the ADS Main File(s) when it is deleting the others, but it does not guarantee that it will be able to do so. Are these Main Files essential to the healthy operation of the platform (XP) - can I risk their erasure? Can anyone know? If CyberScrub fails to preserve one, some, or all of the Main Files, will these be regenerated, if necessary/essential, at the next boot, or could erasure result in a catastrophe?
It seems a wee bit anomalous that a programme which is designed to execute comprehensive erasure processes cannot in fact do this safely, because of the existence of these files which move in mysterious ways.
Cyberscrub searches for, and identifies, the ADS files on your system. The ADSs it finds on mine are as follows:-
C:\Documents and Settings\All Users\...1: :encryptable $DATA (1 entry)
C:\Documents and Settings\My Name\...1 :Zone Identifer:$DATA (3 identical entries)
C:\Documents and Settings\My Name\...1 :Favicon:$DATA (1 entry)
C:\RECYCLER\S-1-5-21-124738149-13...1 :Zone Identifier:$DATA (3 identical entries)
C:\System Volume Information\_restor... :Zone Identifier:$DATA (4 identical entries)
and then dozens of these:-
C:\SystemVolume Information\_restor :a:$DATA
Perhaps it is all imponderable.
Best wishes,
MD
Posted by: Michael Dalton at December 11, 2007 8:12 AM