Skip to content

Alternative Data Streams – How to hide files within files that Windows 7 can’t detect – The Visual Guide

14/06/2014

Windows has NTFS and FAT file systems, when NTFS is used, Alternative Data Streams can be created to hide malware within standard Windows Operating System files.  ADS cannot be detected using Explorer or Task Manager, both the executable and the processes are undetectable to the OS.  ADS was created to maintain compatibility with the MAC file system called HFS.

Step 1 – Create an ADS directory

Copy calc.exe and notepad.exe into this ADS directory – as you’ll be hiding the notepad.exe inside the calculator to prove how this works.

ads1ads1 ads1

Step 2 – Check the filesize of both calc and notepad

Check the filesizes of both calc.exe and notepad.exe before you start, so that you can see the OS is unable to report the hidden or secret file inside calc.exe.

ads2 ads2

Step 3 – INJECTION SYNTAX (Inject notepad into calc)

type c:\windows\system32\notepad.exe > calc.exe: notepad.exe

or the safer option

type c:\ADS\notepad.exe > c:\ADS\calc.exe:notepad.exe

 

ads3

Step 4 – Recheck filesizes of calc

Notice how Windows can not detect the change in filesize.

ads4 ads4

Step 5 – Execute malware with “Start”

start c:\ads\calc.exe

ads5 ads5

Calc will run.

 Step 6 – Use taskmanager to check only calc.exe is shown

Step 7 – Download a special tool to enumerate Alternative NTFS data streams.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

ads6 ads6Install streams.  Run a new cmd prompt, change to streams dir.

streams c:\ADS\calc.exe

ads7 ads7

Streams displays calc.exe:notepad.exe:$DATA 193546.

This is showing that calc.exe has notepad hidden inside it, but Windows can’t detect that.

The malware datasize is 193546.

$DATA is the name of the attribute or the PRIMARY DATA STREAM.

We are hiding programmes in the SECONDARY data stream – which uses the : as a separator.  Calc.exe:notepad.exe = the secret stream is notepad.exe.  The syntax to hide hacking malware is:

type c:\malware.exe > c:\windows\system32\calc.exe:malware.exe

 

Step 8 – How to hide Calc.exe inside a JPEG file

We will hide the calc program inside a JPEG.  ADS7.jpg was created for this article.

type c:\ads\calc.exe > ads7.jpg:calc.exe

ads10 ads10

Double Check our Injection has worked

Streams c:\ads\ads7.jpg

ads11Streams reports that :calc.exe is hidden inside a secondary data stream.

We’ve INJECTED calc.exe into a very small JPEG file (65K).

ads8 ads8

So why is this important?

It’s important to realise that Windows 7 cannot detect secondary data streams – so rootkits and trojans can be hidden within windows system files or small photos.

So what?

You have created “malware” by hiding one program inside a windows system file or even a small photo.

Note how windows can’t detect the change in filesize or the running process.  This protects the hacker from discovery.

Only NTFS has ADS capabilities.

If you transfer a file from NTFS to FAT32 you’ll automatically destroy the Alternative Data Stream.

ADS CANNOT BE DISABLED IN WINDOWS.

The countermeasure is Tripwire – which runs a hash against the files – system file hashing will detect ADS.  That’s why hashes are so important as a safety net.

 References:

http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Alternate_Data_Streams.html

Advertisements
One Comment
  1. Shahjee permalink

    But how do you execute the executable in win 7?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: