Alternate Data Streams: Threat or Menace?
Alternate data streams (ADS) are an example of how a good idea is compromised by lousy execution. Alternate data streams provide an easy way to invisibly attach metadata to Windows files.
Invisibly. And that's the problem. ADS attachments don't show up in file directories, they don't change the reported size of the files, and in fact they're practically undetectable with the standard Windows tools. As a result, alternate data streams have become the tool of choice for computer criminals of all sorts, from crooks stealing your data to bad guys who want to turn your system into their zombie—the ones who use your system to host secret chat rooms and bulletin boards full of illegal pornography.
While you can't disable alternate data streams on a Windows system, some tools will let you spot questionable ADS attachments and control them. However, to protect yourself against ADS, you have to understand the facts about this remarkably little-known threat.
Why Alternate Data Streams?
Alternate data streams were added to the NTFS filesystem primarily for Macintosh compatibility. The Macintosh Hierarchical File System uses attached metadata (called the resource fork—Microsoft doesn't have a monopoly on goofy feature names) to tell the system how to handle the data (called the data fork). In effect, it's a more powerful, flexible version of the dot-3 extensions (.doc, .txt, .bmp, etc.) on Windows filenames. Having an equivalent to the resource fork in NTFS made it a lot easier to port software between the operating systems.
Like the resource fork in the Mac, ADS can include a lot more information about a file than just the file type. This is why a number of Windows programs use alternate data streams. A good example of ADS use is provided by Microsoft Word. Every Word document can have annotations attached describing the document, and this information is stored in an ADS attached to the document.
However, in implementing ADS, Microsoft made a couple of decisions that were, to put it mildly, questionable. The first decision was to allow any kind of file of nearly any size to be attached as an alternate data stream. This includes executables, which can run quite cheerfully from the ADS. A file of even a few bytes can have an ADS totaling hundreds of megabytes in length. That's a lot of warez, pornography, or hacker's tools.
The second bad decision was to render alternate data streams invisible to standard Windows tools such as Internet Explorer and the dir command. When you attach an ADS to a file, the reported file size remains the same. The only thing that changes is the creation date on the file. chkdsk will show that more space has been consumed on the disk, but it won't show you where the space went.
While alternate data streams are hard to detect, they're easy to create. Using a few simple commands, anyone can attach an ADS to a file. Their ease of creation combined with their ability to contain just about anything means that alternate data streams are an ideal tool for hiding something in Windows. Not surprisingly, it didn't take all sorts of bad guys long to figure that out. Today ADS is one of the most common methods of hiding stuff in compromised systems.
What kinds of things use ADS? You'd be astonished—and appalled. In general, any piece of software that wants to hide itself is likely to use ADS. Trojans and rootkits are particularly prolific users because alternate data streams provide an easy way to hide things.
A system breaker needs tools to control and manipulate a compromised computer. ADS provides an ideal way to hide the tools that can be used to do further damage to your system—on your system. By keeping the toolkit on the compromised system, the system breaker greatly reduces the bandwidth needed for repeat visits. A couple of simple scripts totaling a few kilobytes replace downloading megabytes of software every time the bad guy visits.
Of course, a smart computer criminal doesn't keep anything incriminating on his computer. He hides it on someone else's computer, often using ADS. It's not uncommon to find all kinds of files stolen from other computers parked on some innocent's system and hidden with ADS.
ADS is also used to hide the code to run illicit chat rooms, FTP servers, and other covert communications channels on compromised systems.