Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Windows Alternate Data Streams Revisited - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Alternate Data Streams Revisited
An oldie but goodie has reared its familiar head, this time in the manner of a posting to Bugtraq and Full Disclosure lists. Windows NTFS supports multiple streams of data for any given file (http://support.microsoft.com/kb/105763). While the functions that access ADSs are clearly defined by Microsoft, very few Windows tools can view these alternate data strams (ADS) without some added help. In addition, many third-party sotware developers ignore the possible presence of ADSs, thus providing a wonderful storage location for malicious code.

The Bugtraq posting http://www.securityfocus.com/archive/1/435962/30/0/threaded mentions a few antivirus tools that fail to detect known malware when stored as ADSs. The Internet Storm Center has not tested any of these claims, but we have no reason to dispute them as we have seen this time and time again.

Ryan Means wrote an excellent paper (GCFW honors) that discusses Alternate Data Streams in depth, presents a number of tools to locate and manipulate ADSs, and presents an extension to Windows Explorer to directly report the presence of ADSs. You can pull it from the SANS Reading Room at: http://www.sans.org/rr/whitepapers/honors/1503.php
George

25 Posts

Sign Up for Free or Log In to start participating in the conversation!