NTFS Alternate Data Streams
This article is going to explain NTFS Alternate Data Streams: what they are, where they are, how you can detect them, create them and how they are used by hackers. In short, NTFS Alternate Data Streams can be used by hackers to fork file data into existing files without altering the existing file's function or size. You can guess where this is going, right? They make it relatively easy to hide malicious code inside them which is much harder to detect.
Creating NTFS Alternate Data Streams is not complicated at all. You can use the "type" command to do that. To fork the file virus.exe into calc.exe you would use the command type virus.exe > calc.exe:virus:exe if they are in the same directory. Add the path if they are not. The size of the calculator does not change, the only indicator is that the file changed stamp is altered.
But executing those files must be harder, right? Wrong again. To execute virus.exe you use the command "start", in our example it would be start calc.exe:virus:exe.
Alternate Data Streams are basically files attached to other files. They are not only used for malicious activities, you can for instance use them to hide an important text file in another file, or an image that you want no one to see.
For criminals it can be a way of hiding malicious code in regular files so that the code is much harder to detect especially if antivirus software has not picked it up yet. The main problem here is that streams are not revealed by Windows if you use Windows Explorer or the command line to browse files.
One interesting option here is to send someone a harmless file that has an alternate data stream with a malicious file. While that is not executed automatically, it puts the malicious file right on the user's system.
A software like Stream Explorer can find those NTFS Alternate Data Streams on your hard drive.Advertisement