Hey Hey

I've been talking to phishphreek and brought this up.. Since neither of us had seen it on AO before and he'd never heard of it.. I figure I'll post it on here. It's older news now... Can't remember the exact place i found it originally but it was prolly an issue of phrack... If this has been posted before I apologize, but neither of us were able to find it on here...

Anyways It's a paper entitled The Darker Side of NTFS and it deals with the Alternate Data Stream which MS added to allow for communication with HFS (The MAC File System).

To give you a brief summary:

Using a few varying techniques, hide a file by attaching it to another file. This hidden file will not be seen by doing a directory listing in the command prompt, or in explorer. The file can only be found using third party software (a link is in the attached article). This file can be executed while it is hidden and will show up in taskmanager as the file it is attached to. So if I were to hide virus.exe in explorer.exe and then run the hidden virus.exe your task manager would simply show a second copy of explorer.exe running. This is obviously a very big risk.

Anyways here's the complete article. The Darker Side of NTFS