Auditing Alternate Data Streams
Once you've got a list of alternate data streams on your system, the next step is to determine which of them, if any, are malicious. While a lot of legitimate programs use alternate data streams, the amount of metadata they store is typically small. It's generally safe to ignore alternate data streams of 256 bytes or less when performing an ADS scan.
Beyond that, you need to look at the kind of program to which the alternate data stream is attached. Graphics programs, for example, can reasonably be expected to attach thumbnails to images using ADS, and Word documents will often have an ADS attachment.
One real trouble sign is an ADS attached to the root directory. A construct like c:\:ddesvr.exe should make you extremely suspicious.