Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.
How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:
type file_to_be_hidden> host_file:name_of_file_to_be_hidden
The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used - like Calculator.
Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:
One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:
- Zip, RAR or ARJ will simply compress the host file and disregard the ADS
- MIME and Base64 encoding (e-mail) will ignore the ADS entirely
- FAT32 (mostly used on USB flash drives) will loose the ADS since it's not supported.
- Steganography programs will read the bytes of the host file and stop at the EOF
- FTP and HTTP transfer ignores ADS entirely
- Recording the
- Transferring the host file over SMB network to an NTFS target retains the ADS hidden file
- Copying the host file to an NTFS file system transfers the ADS hidden file
- The malicious user will create a legal host file and ADS a file with information to be stolen.
- He will convince the manager to take the legal file home to work on over the weekend.
- Upon the manager's request, even if USB drives are restricted, IT will copy the file over SMB and onto the employee's USB - which is sparkling clean and conveniently formatted with NTFS.
- All logs of the transfer will contain the transfer of the original approved file to the USB
What will you do in such a scenario? Talkback is most welcome!
Be Aware of Security Risks of USB Flash Drives
5 biggest mistakes of information security