Alternate Data Stream - Hidden Files in NTFS
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Alternate Data Stream - Hidden Files in NTFS

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    Alternate Data Stream - Hidden Files in NTFS

    Hey Hey

    I've been talking to phishphreek and brought this up.. Since neither of us had seen it on AO before and he'd never heard of it.. I figure I'll post it on here. It's older news now... Can't remember the exact place i found it originally but it was prolly an issue of phrack... If this has been posted before I apologize, but neither of us were able to find it on here...

    Anyways It's a paper entitled The Darker Side of NTFS and it deals with the Alternate Data Stream which MS added to allow for communication with HFS (The MAC File System).

    To give you a brief summary:

    Using a few varying techniques, hide a file by attaching it to another file. This hidden file will not be seen by doing a directory listing in the command prompt, or in explorer. The file can only be found using third party software (a link is in the attached article). This file can be executed while it is hidden and will show up in taskmanager as the file it is attached to. So if I were to hide virus.exe in explorer.exe and then run the hidden virus.exe your task manager would simply show a second copy of explorer.exe running. This is obviously a very big risk.

    Anyways here's the complete article. The Darker Side of NTFS

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    207
    So what exactly are the ways of detection?

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    As far as I know.. LADS is the only current app available for detection (mentioned in the article). It is available for download here.

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    207
    Ahh.. that's quite intriguing. Nice source, thanks!

  5. #5
    Junior Member
    Join Date
    Sep 2002
    Posts
    12
    Originally posted here by HTRegz
    As far as I know.. LADS is the only current app available for detection (mentioned in the article). It is available for download here.

    I am aware of TDS-3 from DiamondCS at http://tds.diamondcs.com.au/

    It checks for ADS in NTFS files as well as a superb Trojan scanner.

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Thanks for the update adm77..

    It looks like a great program.. however they do want money for it... lads is a console based app and is freeware. So it gives admin's a bit of an advantage, they don't have to pay for it and they can easily add it to scripts.

    However TDS-3 looks great and definately has a lot of great features.. I'll have to try it out at some point.

  7. #7
    Junior Member
    Join Date
    Sep 2002
    Posts
    12
    Now I'm intrigued.... I'll be checking out LADS

    Thank you HTRegz !

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    I believe SFind from Foundstone also "detects" hidden file streams http://www.foundstone.com/resources/...ic-toolkit.htm

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    To the person left the AP "When in doubt, use AFS".. it was a grey dot.. I don't really care which it was supposed to be.. but I wanted to address that comment.

    Windows machines run NTFS or FAT32, MACs use HFS (not really sure if there's another FS they can use)... I'd love to see you get the Windows OS to run on AFS... The Andrew File System is a network file system which is fine if you just want a bunch of stored files... you can view them as network drives in Win32... however if you just want to network your MAC and your PC.. then this wouldn't be an option... and if you were using NTFS for the ADS support.. then you'd leave yourself open the ADS vulnerability.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You don't have to use filesharing with a mac. ADS are part of NTFS (4 and 5). So if you use NTFS (like any good sysadmin should) you are vulnerable to abuse by ADS. Even if your box is just a stand-alone machine.

    What I find quite anoying about all of this is there is no way to turn this 'feature' on or off
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •