Alternate Data Streams: Threat or Menace?

Date: Sep 16, 2005

By now, you're probably aware of how easy it is to accidentally leave metadata in your Microsoft Word documents, offending or amusing recipients who can easily uncover your mistakes. Did you also know that bad guys might be helping you to even more embarrassment (or danger), by using the alternate data streams (ADS) capability of Windows NTFS to hook warez, pornography, or even hacker's tools to your innocent files?

Alternate data streams (ADS) are an example of how a good idea is compromised by lousy execution. Alternate data streams provide an easy way to invisibly attach metadata to Windows files.

Invisibly. And that's the problem. ADS attachments don't show up in file directories, they don't change the reported size of the files, and in fact they're practically undetectable with the standard Windows tools. As a result, alternate data streams have become the tool of choice for computer criminals of all sorts, from crooks stealing your data to bad guys who want to turn your system into their zombie—the ones who use your system to host secret chat rooms and bulletin boards full of illegal pornography.

While you can't disable alternate data streams on a Windows system, some tools will let you spot questionable ADS attachments and control them. However, to protect yourself against ADS, you have to understand the facts about this remarkably little-known threat.

Why Alternate Data Streams?

Alternate data streams were added to the NTFS filesystem primarily for Macintosh compatibility. The Macintosh Hierarchical File System uses attached metadata (called the resource fork—Microsoft doesn't have a monopoly on goofy feature names) to tell the system how to handle the data (called the data fork). In effect, it's a more powerful, flexible version of the dot-3 extensions (.doc, .txt, .bmp, etc.) on Windows filenames. Having an equivalent to the resource fork in NTFS made it a lot easier to port software between the operating systems.

Like the resource fork in the Mac, ADS can include a lot more information about a file than just the file type. This is why a number of Windows programs use alternate data streams. A good example of ADS use is provided by Microsoft Word. Every Word document can have annotations attached describing the document, and this information is stored in an ADS attached to the document.

However, in implementing ADS, Microsoft made a couple of decisions that were, to put it mildly, questionable. The first decision was to allow any kind of file of nearly any size to be attached as an alternate data stream. This includes executables, which can run quite cheerfully from the ADS. A file of even a few bytes can have an ADS totaling hundreds of megabytes in length. That's a lot of warez, pornography, or hacker's tools.

The second bad decision was to render alternate data streams invisible to standard Windows tools such as Internet Explorer and the dir command. When you attach an ADS to a file, the reported file size remains the same. The only thing that changes is the creation date on the file. chkdsk will show that more space has been consumed on the disk, but it won't show you where the space went.

While alternate data streams are hard to detect, they're easy to create. Using a few simple commands, anyone can attach an ADS to a file. Their ease of creation combined with their ability to contain just about anything means that alternate data streams are an ideal tool for hiding something in Windows. Not surprisingly, it didn't take all sorts of bad guys long to figure that out. Today ADS is one of the most common methods of hiding stuff in compromised systems.

What kinds of things use ADS? You'd be astonished—and appalled. In general, any piece of software that wants to hide itself is likely to use ADS. Trojans and rootkits are particularly prolific users because alternate data streams provide an easy way to hide things.

A system breaker needs tools to control and manipulate a compromised computer. ADS provides an ideal way to hide the tools that can be used to do further damage to your system—on your system. By keeping the toolkit on the compromised system, the system breaker greatly reduces the bandwidth needed for repeat visits. A couple of simple scripts totaling a few kilobytes replace downloading megabytes of software every time the bad guy visits.

Of course, a smart computer criminal doesn't keep anything incriminating on his computer. He hides it on someone else's computer, often using ADS. It's not uncommon to find all kinds of files stolen from other computers parked on some innocent's system and hidden with ADS.

ADS is also used to hide the code to run illicit chat rooms, FTP servers, and other covert communications channels on compromised systems.

Creating an Alternate Data Stream

To see how easy this is, let's create a simple alternate data stream. Open Notepad and create a file called goodstuff.txt. Put a few words of text in it. Now create another Notepad file called badstuff.txt and put some text into it.

Now go to the command line and type this command:

Badstuff.txt>goodstuff.txt:malicious.txt

The > operator pipes the contents of badstuff.txt to malicious.txt and the colon (:) tells Windows to attach malicious.txt to goodstuff.text as an ADS. Any time you see an extra colon in a pathname, you can be pretty sure you're dealing with an alternate data stream.

That's it. You just created an ADS named malicious.txt, transferred the contents of badstuff.txt to malicious.txt, and attached it to goodstuff.txt. If you want to see your handiwork, type this:

notepad goodstuff.txt:malicious.txt

This command will open Notepad and display the contents of malicious.txt. Of course, to get to malicious.txt, you have to know the entire path, not just the name of the ADS file. If you don't know the name and path of the ADS, you can't find it with conventional tools.

If this looks like something that could be run from a simple script, you're right. Scripts can also be used to access information and run executables from ADS.

Detecting Alternate Data Streams

Standard Windows tools provide two tip-offs to an ADS invasion—one of them subtle, the other sometimes blindingly obvious.

The subtle one is the date stamp on the file. While alternate data streams don't change the reported file size, they do change reported date of file creation. Of course, unless you've kept some sort of record of creation dates, or the altered file sits in the middle of a bunch of files created on the same date, this change is very difficult to spot.

The obvious tip-off is when your hard drive suddenly and mysteriously fills up. The added files won't show up in your directory, but they still take up space on your disk, and that's reported by chkdsk.

While alternate data streams are very hard to detect with Windows, they're easy to find with specialized tools. A number of companies and individuals offer tools to track and remove ADS. Because alternate data streams aren't detected by conventional Windows tools, most ADS detectors use the Windows backup API, which can detect alternate data streams. Usually you must have administrative or backup privileges to run ADS detection software.

One of the best-known ADS trackers is List Alternate Data Streams (LADS), a freeware utility from Frank Heyne Software.
TDS-3, an anti-Trojan program from DiamondCS, can also detect ADS.
Another utility to detect streams is Streams from Sysinternals.
ADSTools can perform some basic file operations on alternate data streams, as well as detecting them.

Please note that many of the available ADS detectors simply alert you to the existence of alternate data streams, rather than removing them.

Auditing Alternate Data Streams

Once you've got a list of alternate data streams on your system, the next step is to determine which of them, if any, are malicious. While a lot of legitimate programs use alternate data streams, the amount of metadata they store is typically small. It's generally safe to ignore alternate data streams of 256 bytes or less when performing an ADS scan.

Beyond that, you need to look at the kind of program to which the alternate data stream is attached. Graphics programs, for example, can reasonably be expected to attach thumbnails to images using ADS, and Word documents will often have an ADS attachment.

One real trouble sign is an ADS attached to the root directory. A construct like c:\:ddesvr.exe should make you extremely suspicious.

Removing Alternate Data Streams

One thing you can't do on an NTFS Windows computer is turn off alternate data streams. Not only do a lot of applications use ADS; so does Windows itself. There's no way to disable ADS the way you can disable many unneeded Windows services.

Nor can you simply delete an alternate data stream without deleting the file to which it's attached. In fact, you can't use the Windows delete command to get rid of an ADS attached to a root directory (i.e. c:\:badstuff.exe).

Some ADS detection utilities, such as Streams, will automatically delete alternate data streams. However, many of them simply notify you of the existence of alternate data streams.

If your detection utility doesn't delete alternate data streams, you need to get creative. The great weakness of alternate data streams is that they're only supported on NTFS. The older FAT filesystems don't recognize ADS. If you copy a file from an NTFS drive to a FAT drive, any attached ADS will be eliminated. If you're on an ADS hunt, it might be worthwhile to set up a FAT partition on your system simply to wash files through. These days, most Windows systems use NTFS and aren't installed with any FAT partitions. However, programs such as Acronis Disk Director will let you create partitions of different file types, including FAT, out of unused space in an existing partition.

Another method of removing an ADS from a file is to do the following from the command line:

ren filename temp.exe
- cat temp.exe > filename
- del temp.exe

where filename is the name of the file with the ADS you want to eliminate.

If the alternate data stream is attached to a directory, you need a different method. Frank Heyne, the author of LADS, suggests a method that relies on using Notepad from Windows NT 4. The method is detailed in the LADS FAQ.

Combating Alternate Data Streams

First, and most importantly, the bad guys can't use alternate data streams to do their dirty work until they get inside your defenses. So make sure that you follow these rules:

Keep your operating system and security software up to date.
Use the appropriate firewall settings.
If you administer a Windows system using NTFS, get an effective ADS detection tool and run it regularly.

Remember that eternal vigilance is the price of freedom from system compromise. In addition to checking alternate data streams, practice good computer security housekeeping:

Regularly audit your system.
Check your system logs for suspicious activity.
Don't shrug off disks that mysteriously fill up.
Monitor your network traffic, looking for spikes at inappropriate times or from suspicious sources..
Check which services are running on which ports on your Internet connections, and pay particular attention to services using unusual ports.

This isn't rocket science, and it usually isn't very time-consuming. But it's vital in today's computer environment. Just because you have all the right pieces in place, don't assume that you can ignore day-to-day monitoring.

Resources

The LADS FAQ provides a good basic look at alternate data streams.
DiamondCS also has a good FAQ on ADS.