NTFS Alternate Data Streams

Martin Brinkmann
Jan 24, 2008
Updated • Nov 28, 2012
Windows
|
4

This article is going to explain NTFS Alternate Data Streams: what they are, where they are, how you can detect them, create them and how they are used by hackers. In short, NTFS Alternate Data Streams can be used by hackers to fork file data into existing files without altering the existing file's function or size. You can guess where this is going, right? They make it relatively easy to hide malicious code inside them which is much harder to detect.

Creating NTFS Alternate Data Streams is not complicated at all. You can use the "type" command to do that. To fork the file virus.exe into calc.exe you would use the command type virus.exe > calc.exe:virus:exe if they are in the same directory. Add the path if they are not. The size of the calculator does not change, the only indicator is that the file changed stamp is altered.

But executing those files must be harder, right? Wrong again. To execute virus.exe you use the command "start", in our example it would be start calc.exe:virus:exe.

Alternate Data Streams are basically files attached to other files. They are not only used for malicious activities, you can for instance use them to hide an important text file in another file, or an image that you want no one to see.

For criminals it can be a way of hiding malicious code in regular files so that the code is much harder to detect especially if antivirus software has not picked it up yet. The main problem here is that streams are not revealed by Windows if you use Windows Explorer or the command line to browse files.

One interesting option here is to send someone a harmless file that has an alternate data stream with a malicious file. While that is not executed automatically, it puts the malicious file right on the user's system.

A software like Stream Explorer can find those NTFS Alternate Data Streams on your hard drive.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Joe Whitehead said on January 26, 2008 at 11:24 pm
    Reply

    New url for Sysinternals Streams:
    http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

    Those dummies keep changing the links and don’t redirect. :/

  2. itoleck said on January 25, 2008 at 5:20 am
    Reply

    You can also use the TechNet Sysinternals streams application. Here is the link.
    http://www.microsoft.com/technet/sysinternals/FileAndDisk/Streams.mspx

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.