NTFS Alternate Data Streams - gHacks Tech News

NTFS Alternate Data Streams

This article is going to explain NTFS Alternate Data Streams: what they are, where they are, how you can detect them, create them and how they are used by hackers. In short, NTFS Alternate Data Streams can be used by hackers to fork file data into existing files without altering the existing file's function or size. You can guess where this is going, right? They make it relatively easy to hide malicious code inside them which is much harder to detect.

Creating NTFS Alternate Data Streams is not complicated at all. You can use the "type" command to do that. To fork the file virus.exe into calc.exe you would use the command type virus.exe > calc.exe:virus:exe if they are in the same directory. Add the path if they are not. The size of the calculator does not change, the only indicator is that the file changed stamp is altered.

But executing those files must be harder, right? Wrong again. To execute virus.exe you use the command "start", in our example it would be start calc.exe:virus:exe.

Alternate Data Streams are basically files attached to other files. They are not only used for malicious activities, you can for instance use them to hide an important text file in another file, or an image that you want no one to see.

For criminals it can be a way of hiding malicious code in regular files so that the code is much harder to detect especially if antivirus software has not picked it up yet. The main problem here is that streams are not revealed by Windows if you use Windows Explorer or the command line to browse files.

One interesting option here is to send someone a harmless file that has an alternate data stream with a malicious file. While that is not executed automatically, it puts the malicious file right on the user's system.

A software like Stream Explorer can find those NTFS Alternate Data Streams on your hard drive.

  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:


    1. itoleck said on January 25, 2008 at 5:20 am

      You can also use the TechNet Sysinternals streams application. Here is the link.

    2. Joe Whitehead said on January 26, 2008 at 11:24 pm

      New url for Sysinternals Streams:

      Those dummies keep changing the links and don’t redirect. :/

    Leave a Reply