What about the threat of alternate data streams on NTFS file systems?
That’s actually an excerpt from a longer question I got last year that I
want to address separately.
Alternate data streams are an very interesting feature of the NTFS file
system that not many people know about.
The security threat that the question alludes to is that alternate data
streams can allow data to be trivially hidden on an NTFS formatted hard disk in
a way that is difficult to detect.
Become a Patron of Ask Leo! and go ad-free!
First, let’s define just what an alternate data stream is.
Think of it as a “file within a file”.
To begin with, it’s an NTFS-only feature. So if your hard disk is formatted
using the FAT file system, then none of this applies to you.
I’ll show by example. And unfortunately, for reasons we’ll see in a moment,
we’ll need to do this in a Windows command shell.
First, create a text file with anything in it, using the “echo” command and
file redirection:
C:> echo
The quick brown fox jumped over the lazy dog. >textfile.txt
As you might expect, that puts the text into the text file
“textfile.txt”:
C:> type
textfile.txt
The quick brown fox jumped over the lazy dog.
C:>
And have a look at the directory listing for the file:
C:> dir
textfile.txt
Volume in drive C is LEO
Volume Serial Number is 3007-E4F1Directory of C:\
06/14/2007 03:35 PM 48 textfile.txt
All is as we would expect.
Now, run this command:
C:> echo
Where oh where has my little dog gone? >textfile.txt:hidden
This looks like we’re creating a new file called
“textfile.txt:hidden”, but we’re not. We’re creating an alternate data stream
within the file “textfile.txt” by the name of “hidden”.
In fact, we can examine that just like the first:
C:> type
textfile.txt:hidden
The filename, directory name, or volume label syntax is incorrect.
C:>
Oh. Apparently we can’t do it exactly the same. We can do this,
though:
C:> more
<textfile.txt:hidden
Where oh where has my little dog gone?
C:>
And the original “default” data stream is still there too:
C:> type
textfile.txt
The quick brown fox jumped over the lazy dog.
C:>
And yet, there’s only the one file:
C:> dir
textfile*
Volume in drive C is LEO
Volume Serial Number is 3007-E4F1Directory of C:\
06/14/2007 03:39 PM 48 textfile.txt
detect without third party software.”
There are two very interesting things to note about that last directory
listing:
-
The size of the file is unchanged. In fact, the size (48) reflects only the
size of the default data stream. There could very large alternate data streams
attached to the file and you wouldn’t see it. -
The timestamp on the file did change when the alternate data stream was
added. But that’s the only visible indication that anything happened with the
possible exception of the fact that free space on the drive in question did go
down.
The alternate “hidden” data stream is just that – very well hidden. You
wouldn’t know to look for it unless … well, unless you knew to look for
it.
•
The Risk
So that was all an interesting exercise in hiding data, and I’m sure that
several folks will now look at hiding sensitive information or their
pornography collection in alternate data streams in otherwise innocuous looking
files.
But it gets worse.
Let’s do this:
c:> type
c:\windows\system32\calc.exe >textfile.txt:calc.exe
What this has done is copied the Windows calculator program into an
alternate data stream called “calc.exe” inside of “textfile.txt”. Once again,
aside from it’s timestamp changing, “textfile.txt” still looks like a 48 byte
text file that contains only one line of text.
And yet, we can now do this:
c:>start
c:\textfile.txt:calc.exe
which launches the hidden copy of calc.exe from its alternate data stream
inside of “textfile.txt”.
Imagine if that weren’t calc.exe at all.
Imagine if that were malware.
•
Alternate Data Stream Limitations
If you copy a file with alternate data streams to another NTFS partition, then the streams are retained. However if you copy the file to a FAT or other file
system that does not support alternate data streams, the streams will be
silently lost in the copy. Only the default stream will be copied.
Since many programs operate very much like a copy operation, it seems to me
that it would be very easy to lose your alternate data streams if you operate
on a file that has them. For example when I edited the example textfile.txt in
a random text editing program, the alternate streams were stripped off when the
file was saved.
•
The Real Problem
As we’ve seen support for alternate data streams is sporadic. I couldn’t
create one in notepad, for example, but it’s easy to do in a command shell. You
can’t “type” one directly, but an alternate data stream is easily created and
viewed when used as the target of input or output redirection. And we’ve just
seen how easy it is to run one using the command prompt “Start” command, but
you can’t just execute it like a normal program by typing it into the Start
menu’s Run command.
In fact, alternate data streams are simple to use in programs that support
it, but very view actually do directly. More to the point, alternate data
streams are almost impossible to detect without third party software. Even
worse, they’re typically not scanned by anti-virus and anti-spyware packages.
As a result, not only could data be very effectively hidden on your machine,
that “data” could easily include malware.
Fortunately, to date, I’m not aware of any malware taking advantage of
alternate data streams.
•
Solutions?
Alternate Data Streams cannot be turned off.
There are no tools built-in to windows that will let you look for the
presence of alternate data streams.
The only solution I’m aware of to date is a third party utility, lads.exe (List Alternate Data Streams). If I run
that on the file I’ve created as my example, I see this:
c:>lads
LADS - Freeware version 4.10
(C) Copyright 1998-2007 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Scanning directory C:\
size ADS in file
---------- ---------------------------------
114688 C:\textfile.txt:calc.exe
41 C:\textfile.txt:hidden
If you like, you can use lads.exe to scan your entire hard drive for files
with alternate data streams.
The presence of an alternate data stream does not necessarily indicate a
problem. In fact, I found a couple of valid instances on my machine when I
scanned. I was surprised, but they were there and they were valid.
•
The Bottom Line: Should You Worry?
No. Not yet anyway.
Alternate data streams have been around for a long time. Their lack of
consistent support across applications is probably their undoing for malware
creators as well. However since NTFS has become so popular in recent years, it
wouldn’t surprise me to see malware start to take advantage of alternate data
streams as a way to hide themselves, or the data that they may be
collecting.
In the mean time, if you’re concerned, use the lads.exe utility to scan your system to see if you have any.
And of course, it’s a very handy way to hide information
on your machine. It’s not bullet proof, as we’ve seen, but it’s certainly one
way to keep the presence of certain files or data from being immediately
obvious to the casual observer.
Is there a reason that alternate data streams exist?
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
To be honest, I’m not sure. I’ve heard tell that they were an attempt to
provide the same functionality as “forks” I think it is on Macintosh systems at
the time. If so, I think it was doomed for backwards-compatibility reasons.
But I’m not totally sure.
And again, once in, it’s incredibly difficult to remove a “feature” — for
backwards compatibility reasons. :-(
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGcryiCMEe9B/8oqERAnLpAKCKLGKUw9xcIAVVyESHm0PiQENK1QCcCsAS
CEZ/ke2Y8mIxskqIC/RV8gY=
=Csa/
—–END PGP SIGNATURE—–
Just downloaded and installed LavaSoft Ad-Aware2007. On the Settings page there is a button for “Scan Alternate Data Streams”. When I saw this I had no idea what it was about. It is a nice coincidence your newsletter has an article on Alternate Data Streams. So there is now at least one way to scan for Alternate Data Streams.
Thank you Leo.
actually there are malware exploiting ADS, else Ad-Aware and other s/w wouldn’t be scanning them
Hello Leo,
The erasure software programme ‘Cyberscrub’ provides an option to erase Alternate Data Stream files. CyberScrub warns that it will try to save the ADS Main File(s) when it is deleting the others, but it does not guarantee that it will be able to do so. Are these Main Files essential to the healthy operation of the platform (XP) – can I risk their erasure? Can anyone know? If CyberScrub fails to preserve one, some, or all of the Main Files, will these be regenerated, if necessary/essential, at the next boot, or could erasure result in a catastrophe?
It seems a wee bit anomalous that a programme which is designed to execute comprehensive erasure processes cannot in fact do this safely, because of the existence of these files which move in mysterious ways.
Cyberscrub searches for, and identifies, the ADS files on your system. The ADSs it finds on mine are as follows:-
C:\Documents and Settings\All Users\…1: :encryptable $DATA (1 entry)
C:\Documents and Settings\My Name\…1 :Zone Identifer:$DATA (3 identical entries)
C:\Documents and Settings\My Name\…1 :Favicon:$DATA (1 entry)
C:\RECYCLER\S-1-5-21-124738149-13…1 :Zone Identifier:$DATA (3 identical entries)
C:\System Volume Information\_restor… :Zone Identifier:$DATA (4 identical entries)
and then dozens of these:-
C:\SystemVolume Information\_restor :a:$DATA
Perhaps it is all imponderable.
Best wishes,
MD
Alternate data streams are used by some antivirus software (Kaspersky Labs) to store a unique “hash” value that works as a short signature that represents the file contents. The allows the antivirus program to detect any simple change in contents that does not also update the signature stream. The cost of this otherwise excellent feature is the expansion in disk size of every file.
By the way, the excellent freeware program FileAlyzer 2 has a tab for showing the Alternate data streams in any file, including special (inaccessible) streams such as Security and Object identifier. The default stream type is Alternate.
Alternate data strings can be nested. Internally, an alternate string named foo is represented as :foo:$DATA, so some alternate stream programs may use this syntax.
In Windows, Microsoft Word uses an alternate data stream to store extra information about a file, such as the Author name. Also, downloaded files are marked by the presence of an Alternate-type stream named :Zone.Identifier, which contains the text “INI file”
[ZoneTransfer]
ZoneId=3
to indicate which “Zone” was used for the download (3 means “Internet”). On the Properties context dialog box for the file, you can click Unblock to delete this stream.
I just got an extra kiss from my husband for finding your site! Don’t expect a comment.
Thanks
“To begin with, it’s an NTFS-only feature.” – Not true. In WINDOWS, it is a ntfs only feature. The macintosh OS7/8/9 and OS/2 HPFS used ADS as well.
Also, the easiest way to remove them is to move the file to eFat, FAT16 or FAT32 partition, which ignores and drops ADS, then move it back. :D