Alternate Data Streams


Every day I find something new that makes me dislike using Microsoft Windows even more. And while I don’t normally subscribe to conspiracy theories, the Antispyware Conspiracy does make a certain amount of sense to me.

The NT file system (NTFS), which is used by Windows NT, Windows 2000, and Windows XP has a feature that allows data to be stored in hidden files that are linked to normal visible files. These hidden files are called Alternate Data Streams (ADS).1

A single NTFS file can hold many streams and potentially take up a lot of disk space.1

These streams bypass the regular directory listing; the alternative data does not count when the number of free bytes left on the disk is calculated.

If you see a substantial difference between the size of your drive and the size of the visible data on the drive, you could have a problem with ADS sucking up valuable storage.1

But that’s not the worst of it. Even though ADS may not be inherently evil, these streams are not visible in Explorer and can pose a security risk. Malicious programs can hide data and executable files in these streams.1

If you think you’re protected from streams because you have antivirus software, think again. Not all antivirus programs detect streams.1

There are very few security programs available that are ADS-aware. As such, if a virus implants itself into an ADS stream, your anti-virus software will probably not be able to detect it. In addition, streams cannot be deleted – to delete a stream you must delete its parent.4

In order to delete ADS files that are attached to a directory, you need to delete the directory. This can cause a major problem if the ADS is attached to the root of a hard drive.5

Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part o the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.3

It is not only possible to hide a file, but to also hide the execution of an illegitimate process.3

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006.6

Mr. Russinovich subsequently wrote on Microsoft’s site that “NT does not come with any tools that let you see which NTFS files have streams associated with them, so I’ve written one myself.” That program can be downloaded from this page.

Caveat emptor 😉




Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: