Posted by Jose, 11 August, 2009

caution1

Users play a key role in computer security.  They can compromise a computer’s security, by, for example, running a file attached to an email from an unknown sender.

However, not even users who take all necessary precautions are completely safe. Many times, threats are not easy to identify or even visible… Today, I’d like to talk to you about Alternate Data Streams (ADS), a feature in the NTFS file system (Microsoft’s current standard file system).

Don’t worry, I’ll not bore you with technicalities. Basically, Alternate Data Streams are files within other files. However, these are files that NTFS does not show, which makes for a great way of hiding information.
Follow the steps below if you are curious about this:

  1. Create a folder on your hard drive C:. Name it TestADs for example.
  2. Copy your favorite song to that folder.
  3. Create a text file in the folder. Name it Ads.txt for example.

cmd5

Dump the song onto the text file, creating an Alternate Data Stream (ADS)

cmd21

At this point this is what you have in the folder:

  • A text file (1 KB).
  • The song (several MBs in size).

Delete the song.  Now the folder should only contain the text document. At least, that’s what Windows displays (if you open Windows Explorer and go to the folder, you will see it only contains the 1KB text file). If you open it, you will see it only has the sentence you entered before: “Nothing is what it seems”. So far, so good. However, if you run the command below…

cmd31

Voilá the song starts playing… Isn’t it amazing? How can that be if you had deleted it? Well, you had deleted the original file, but before that, you had created an Alternate Data Stream (ADS) within the text file. The fact is that Windows doesn’t show this type of association. Microsoft’s policy with regard to ADS is that they don’t need to or shouldn’t be accessed by end-users, but only by the applications that must use them. From Windows Vista and Windows Server 2008, the DIR command can take the parameter /R to list ADS in a file. However, for users of earlier operating systems it is really difficult to even know if a file contains ADS or not.

This feature can be exploited by malware creators to hide executable code in apparently harmless files. That’s why it is so important to have a good antivirus to protect your PC.  Panda Security solutions protect you against these threats, as every time they scan a file, they check to see if it includes an Altenate Data Stream . If it does, they will scan it as well.