Alternate Data Streams… WARNING

I came across this issue today… thankfully my network environement security uses both eTrust and Tripwire, so this should not be a big problem here, but I think it’s should be watched for. Basically, this is a way to hide spyware or incriminating (hacker) tools by casting or forking the file into another file. The original size will show the same and even the actual running process is hidden from process explorers, the only thing that changes is the modification date. Also, this only runs on NTFS and moving the file to another file system will corrupt the hidden file.

I have learned this info from and there are illustrations there to view.

I tested this on my computer running Windows XP Professional SP2, using an executable that a buddy of mine wrote. Here is what I did using the command prompt, but first I used MD5 Checksum Tool by Ferruh Mavituna to compare hashes before and after I used ADS to hide the Adminblocking tool AcidVirus wrote.

Guess what? The MD5 Checksum didn’t change even after I used to ADS and “forked” Adminblocking.exe with the built in calc.exe. I also found a freeware tool called LADS.exe that will search thru directories and list all ADS by name.

So, obviously this can be used by a malicious person to hide key loggers, botnets, or any number of tool that they would want to hide. I plan on researching this more as it peaks my interest and possibly writing some kind of perl script to defend against or even one to simplify the whole process…

Network Security, Tutorials/Whitepapers, Virus Alerts, Windows

Leave a Reply