Nice post. Never heard of this before. I will definatley be doing some research
Printable View
Nice post. Never heard of this before. I will definatley be doing some research
Ok, I haven't yet had the time to test this out but...
Some people have posted links to programs that will find the data in ADS.
I wonder if linux would find it too? Since it ignores all file attributes and etc.
You could then just boot to a knoppix and look for the files there.
Although... a utility that is designed to specifically look for these files would be a lot easier to use than comparing file lists from the windows view and linux view.
Also... since these files are hidden completely (I'd assume until run in memory)... would an antivirus scanner be able to pick up a virus or trojan if it was just stored oh the hard disk or would it pick it up after/as it was being run?
Yes, streaming is *very* difficult to detect.
OK gang, now that you know about streaming, here is some technical details that you need to know about.
To stream a file, you'll need the POSIX utility CP from the NT resource kit. The syntax to hide a file is as follows:
cp nc.exe hidden.file:nc.exe
This hides nc.exe in the nc.exe stream of hidden.file.
To unstream netcat, simply type this:
cp hidden.file:nc.exe nc.exe
Now that you can stream a file, try to see if your favorite virus scanner can pick up an infected streamed file. The results may surprise you ;)
A few more notes on streaming that are important:
1) The mod date on hidden.file changes but not the size. This makes streamed files difficult to ferret out.
2) Deleting a streamed file involves copying the front file to a FAT partition, then copying it back to NTFS
3) Streamed files can be executed while hiding behind the front file but cannot be executed directly due to limitations in CMD.EXE. You need to use the start command to launch it:
start hidden.file:nc.exe
Anyway, hope this adds dome value to the thread here.
--TH13
Most (if not all) do not check the ADS. Maybe an on-access scanner can pick it up when it actually gets executed.Quote:
Originally posted here by phishphreek80
Also... since these files are hidden completely (I'd assume until run in memory)... would an antivirus scanner be able to pick up a virus or trojan if it was just stored oh the hard disk or would it pick it up after/as it was being run?
This should be easy to test. Just stream the EICAR test file behind say notepad and scan your machine.
If you cannot run POSIX (because you killed it) try using Perl:Quote:
Originally posted here by thehorse13
To stream a file, you'll need the POSIX utility CP from the NT resource kit.
#!/usr/bin/perl
open(SRC, "<file2stream");
open(DEST, ">notepad.exe:hiddenstream");
@stream=<SRC>; #suck it in
print DEST @stream;
close(SRC);
close(DEST);
Yeah, I found this a very interesting thing when I found out about it. I learned about it through a Tripwire Seminar - I think it was called "The Art of Hacking." Anyways, I pasted in the thread I posted before.
Alternate Data Streams
You guys definitely bring up some interesting thoughts. Nice!
Oh, by the way, Tripwire picks up the ADS files also. When I found out about them, I stumbled upon lads, and it was a great tool.
Cheers,
t2k2
I think all bases have been covered by this thread, and the articles listed. I would like to add one thing though - and thats why ADSs exist in the first place.
ADS is supported by NTFS for compatability with the MAC OS. MACs use the ADS to determine the file type and to store application associations with those file types (such as associating MS WORD with *.DOC files). Windows, as we all know, uses the 3 character file extension.
This doesn't make any difference to the threat of ADSs, or how to deal with them, but I thought it might be useful background anyway.
Cheers all.
Alan Mott