Alternative Data Streams – How to hide files within files that Windows 7 can’t detect – The Visual Guide
Windows has NTFS and FAT file systems, when NTFS is used, Alternative Data Streams can be created to hide malware within standard Windows Operating System files. ADS cannot be detected using Explorer or Task Manager, both the executable and the processes are undetectable to the OS. ADS was created to maintain compatibility with the MAC file system called HFS.
Step 1 – Create an ADS directory
Copy calc.exe and notepad.exe into this ADS directory – as you’ll be hiding the notepad.exe inside the calculator to prove how this works.
Step 2 – Check the filesize of both calc and notepad
Check the filesizes of both calc.exe and notepad.exe before you start, so that you can see the OS is unable to report the hidden or secret file inside calc.exe.
Step 3 – INJECTION SYNTAX (Inject notepad into calc)
type c:\windows\system32\notepad.exe > calc.exe: notepad.exe
or the safer option
type c:\ADS\notepad.exe > c:\ADS\calc.exe:notepad.exe
Step 4 – Recheck filesizes of calc
Notice how Windows can not detect the change in filesize.
Step 5 – Execute malware with “Start”
Calc will run.
Step 6 – Use taskmanager to check only calc.exe is shown
Step 7 – Download a special tool to enumerate Alternative NTFS data streams.
Streams displays calc.exe:notepad.exe:$DATA 193546.
This is showing that calc.exe has notepad hidden inside it, but Windows can’t detect that.
The malware datasize is 193546.
$DATA is the name of the attribute or the PRIMARY DATA STREAM.
We are hiding programmes in the SECONDARY data stream – which uses the : as a separator. Calc.exe:notepad.exe = the secret stream is notepad.exe. The syntax to hide hacking malware is:
type c:\malware.exe > c:\windows\system32\calc.exe:malware.exe
Step 8 – How to hide Calc.exe inside a JPEG file
We will hide the calc program inside a JPEG. ADS7.jpg was created for this article.
type c:\ads\calc.exe > ads7.jpg:calc.exe
Double Check our Injection has worked
We’ve INJECTED calc.exe into a very small JPEG file (65K).
So why is this important?
It’s important to realise that Windows 7 cannot detect secondary data streams – so rootkits and trojans can be hidden within windows system files or small photos.
You have created “malware” by hiding one program inside a windows system file or even a small photo.
Note how windows can’t detect the change in filesize or the running process. This protects the hacker from discovery.
Only NTFS has ADS capabilities.
If you transfer a file from NTFS to FAT32 you’ll automatically destroy the Alternative Data Stream.
ADS CANNOT BE DISABLED IN WINDOWS.
The countermeasure is Tripwire – which runs a hash against the files – system file hashing will detect ADS. That’s why hashes are so important as a safety net.