Anyone who is in the security arena should know about Windows Alternate Data Streams, otherwise known as ADS. Though not highly publicized, lack of this little known attribute of the Windows NTFS file system may affect how you solve a problem in the future.
ADS were introduced into the Windows NTFS file system starting in Windows NT 3.1. This ?feature? was implemented in order to allow compatibility with the Macintosh Hierarchical File System (HFS). In brief, the Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork is used to tell the operating system how to use the data portion. Windows does a similar thing through extensions such as .bat, .exe, .txt, .html. These extensions tell the operating system how to use the particular data found in the files.
For windows to be compatible with the Macintosh file system, they introduced alternate data streams. This hidden stream is used as the resource fork was used; to tell the system how to use the data contained in the file.
Though ADS was created for compatibility with the Mac world, it is not solely used for that purpose. Many applications use ADS to store attributes of a file in them. For example if you make a text document, and right click and go into its properties you will see a summary page. This summary information is attached to the file via ADS. I will show you more on that later and applications to see this information.
In summary, think of ADS as hidden files that are attached to the visible ones. The main reason they are so dangerous is that they are not well known, are generally hidden to the user, and that there are few security programs that can recognize them.
Programs to view ADS
Before I continue I want to mention some, not all, programs that can be used to view ADS. This is so as you read this tutorial, and follow some examples, you can actually see the ADS files that you are creating.
The programs are as follows:
Lads - http://www.heysoft.de/Frames/f_sw_la_en.htm
How to make an ADS
From a command prompt, the following is an example on how to make an ADS:
C:\test>echo "ADS" > test.txt:hidden.txt
A new ADS has just been created called hidden.txt and attached to the file test.txt. The ADS file is shown after the : , and : must be used when adding an ADS.
If you do a DIR in that directory all you see is the normal file.
C:\test>dir Volume in drive C has no label. Volume Serial Number is B889-75DB Directory of C:>test 10/22/2003 11:22 AM
On the other hand if you run LADS, you can see the ADS, hidden.txt 9, attached to the test.txt file.
C:\test>lads LADS - Freeware version 3.21 (C) Copyright 1998-2003 Frank Heyne Software (http://www.heysoft.de) This program lists files with alternate data streams (ADS) Use LADS on your own risk! Scanning directory C:\test\ size ADS in file ---------- --------------------------------- 8 C:\test\test.txt:hidden.txt 8 bytes in 1 ADS listed
If you wanted to view the ADS hidden.txt, or add information to it, just run notepad to open the file.
C:\test> notepad test.txt:hidden.txt
This will open the file in notepad and allow you to edit it and save it.
You can also use notepad to create an ADS file. Just type:
Notepad will launch and say this file does not exist and would you like to create it. You would say yes, and then enter the information and save it. This method has just created a new ADS called ads.txt.
ADS files do not have to be attached to a file, but can also be attached a directory. This causes a problem when you create an ADS against a root of a hard drive as it makes it impossible to remove the ADS unless you reformat. If someone knows of a program that can fix this, please let me know.
Here is an example on how to make an ADS against a directory:
C:\test> echo test> :hidden.txt
This command has now attached an ADS to the directory itself. Run LADS to see the ADS attached to the directory.
What is so harmful about this?
What if I told you that ADS can also be used with executable files? Thats right, ADS files that are executable can be attached to any file just like you attached .txt files, and just like the text files, would be hidden from most software.
Here is an example:
C:\test> type c:\windows\notepad.exe > ads.txt:hidden.exe
You have now created an ADS file called hidden.exe and attached it to the text file ads.txt. Once again, if you Dir the directory you will just see ads.txt, and not hidden.exe. Run LADS, and you will see the ADS.
There is a caveat to launching executable files that are ADS files. You must always use the START command to launch the ADS executable and you must always use the full path of the file. Here are some examples of working commands and non-working commands.
I will first make my ADS executable:
C:\test> type c:\windows\notepad.exe > ads.txt:np.exe
Commands that do not launch the np.exe ADS executable:
The filename, directory name, or volume label syntax is incorrect.
The filename, directory name, or volume label syntax is incorrect.:
Access is denied.
The command that will launch the executable:
As you can see, you must use the full path of the ADS executable file.
How to Delete ADS Files
ADS files are not particularly hard to delete, but they can cause problems. In order to delete an ADS attached to a file, just delete the file. Lets say for example that you have a file called number.txt and there was an ADS attached called hidden.txt. You want to get rid of the hidden.txt file, but keep the info in number.txt, so you just cant delete number.txt.
In order to do this you would do something like the following:
C:\test>ren number.txt temp.txt
C:\test>type temp.txt > number.txt
In order to delete ADS files that are attached to a directory, you need to delete the directory. This can cause a major problem if the ADS is attached to the root of a hard drive. Since you cannot delete the ADS in this way unless you reformat the drive, you can do this to get rid of the unwanted information in the ADS file.
C:\test>echo empty > filler.txt
C:\test>type filler.txt > :badads.txt
Update - 11/11/04
Since I wrote this tutorial there have been a few malware programs that have been released to infect your machine using Alternate Data Stream files. Due to this there have been improvements in the software available to remove these types of programs from your computer. One program that will search for ADS files on your computer and then provide a list that you can remove is ADSSPY. You can find a link to that program below:
Other Uses for ADS
In the beginning I mentioned that there are other uses for ADS files. Certain files in Windows have a summary tab in their properties. One example of this is .txt documents. If you create a new .txt document, and right click on it, and select summary, you can fill in some information.
This information is saved as ADS files attached to the document. For example, we have a file called readme.txt. If I go into the summary section and enter my name into the Title field and press OK, that information will be saved as an ADS.
You can see this as follows:
LADS - Freeware version 3.21
Scanning directory C:\test\
size ADS in file
131 bytes in 3 ADS listed
As you can see ADS can definitely be used for much more than was bargained for when Microsoft introduced them. They have the legitimate uses, but can definitely be used for darker intentions.
In summary here are the reasons why ADS can be considered bad:
- There are few programs that detect ADS.
- Removing ADS can be difficult.
- Explorer and Dir when determining free space do not calculate the space used by ADS.
- You can hide an executable as an ADS.
Too many sources over the years, but the people at NTBugTraq, Heysoft. Security Focus, DiamondCS, Crucial, and the other writers of ADS tutorials deserve mention. There are some excellent articles about ADS found via google that do a much better job than I in explaining ADS. I would recommend you take a look.
Bleeping Computer Advanced Microsoft Concepts
BleepingComputer.com: Computer Support & Tutorials for the beginning computer user.
HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis will scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get ...
One of the top questions I see on forums is "How do I know if I have been hacked?". When something strange occurs on a computer such as programs shutting down on their own, your mouse moving by itself, or your CD constantly opening and closing on its own, the first thing that people think is that they have been hacked. In the vast majority of cases there is a non-malicious explanation ...
If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.
A common misconception when working on removing malware from a computer is that the only place an infection will start from is in one of the entries enumerated by HijackThis. For the most part these entries are the most common, but it is not always the case. Lately there are more infections installing a part of themselves as a service. Some examples are Ssearch.biz and Home Search Assistant.
Ever since Windows 95, the Windows operating system has been using a centralized hierarchical database to store system settings, hardware configurations, and user preferences. This database is called the Windows Registry or more commonly known as the Registry. When new hardware is installed in the computer, a user changes a settings such as their desktop background, or a new software is installed, ...