Thursday, November 29, 2007

Using and Abusing Alternate Data Streams

This blog post is to detail a very simple method that has been used by viruses, malware authors and others to hide data.

What are Alternate Data Streams (ADS)
Alternate Data Streams (ADS) were created to make NTFS compatible with the HFS file system. In NTFS there are 2 streams to a file, the data portion and the resource portion. It is relatively simple to hide data in the resource portion and without using specific tools this data would remain hidden.

How to Hide Data in an ADS
Below is an example of how to hide a file in the Alternate Data Stream. The file can be any type of file such as a normal text file, a word file or in this case an executable. This example is run from a command prompt and the disk i am using is NTFS formated.

1. Copy calc.exe into the directory your in, my examples will assume C:\ads\

2. Making sure you are in C:\ads\ run "echo test >hello.txt". This will create a file called hello.txt with the word "test" in.

3. Run "start hello.txt". This should open the file you just created in notepad or your text file editor of choice. This demonstrates the file is accessible and usable.

4. Run "type calc.exe > C:\ads\hello.txt:calc2.exe" This puts calc.exe into the ADS of hello.txt and renames it to calc2.exe. After placing calc.exe in the ADS of hello.txt run dir to check the file sizes.

By looking at the file size before and after the calc.exe is added into the ADS you will notice that no there is no change to the file size.

5. Run "del calc.exe". This deletes the calc.exe that you copied in step 1.

6. Run "start C:\ads\hello.txt:calc2.exe"

This will start calc.exe from he ADS. The full path is important to start the file.

By running "start hello.txt" (or by opening the file in the normal way) you will only see the original file, this can be added to or amended without affecting the file in the ADS.

If the file is copied to a partition that is not NTFS or a USB device that is not NTFS it will lose the file in the ADS.

Tools such as LADS.EXE and SFIND.EXE from the Forensic Toolkit (foundstone) will both discover files hidden in ADS.

Futher Reading

No comments: