|
-
May 9th, 2003, 02:48 AM
#1
Alternate Data Stream - Hidden Files in NTFS
Hey Hey
I've been talking to phishphreek and brought this up.. Since neither of us had seen it on AO before and he'd never heard of it.. I figure I'll post it on here. It's older news now... Can't remember the exact place i found it originally but it was prolly an issue of phrack... If this has been posted before I apologize, but neither of us were able to find it on here...
Anyways It's a paper entitled The Darker Side of NTFS and it deals with the Alternate Data Stream which MS added to allow for communication with HFS (The MAC File System).
To give you a brief summary:
Using a few varying techniques, hide a file by attaching it to another file. This hidden file will not be seen by doing a directory listing in the command prompt, or in explorer. The file can only be found using third party software (a link is in the attached article). This file can be executed while it is hidden and will show up in taskmanager as the file it is attached to. So if I were to hide virus.exe in explorer.exe and then run the hidden virus.exe your task manager would simply show a second copy of explorer.exe running. This is obviously a very big risk.
Anyways here's the complete article. The Darker Side of NTFS
-
May 9th, 2003, 02:59 AM
#2
Senior Member
So what exactly are the ways of detection?
-
May 9th, 2003, 03:01 AM
#3
As far as I know.. LADS is the only current app available for detection (mentioned in the article). It is available for download here.
-
May 9th, 2003, 03:03 AM
#4
Senior Member
Ahh.. that's quite intriguing. Nice source, thanks!
-
May 9th, 2003, 03:30 AM
#5
Junior Member
Originally posted here by HTRegz
As far as I know.. LADS is the only current app available for detection (mentioned in the article). It is available for download here.
I am aware of TDS-3 from DiamondCS at http://tds.diamondcs.com.au/
It checks for ADS in NTFS files as well as a superb Trojan scanner.
-
May 9th, 2003, 03:38 AM
#6
Thanks for the update adm77..
It looks like a great program.. however they do want money for it... lads is a console based app and is freeware. So it gives admin's a bit of an advantage, they don't have to pay for it and they can easily add it to scripts.
However TDS-3 looks great and definately has a lot of great features.. I'll have to try it out at some point.
-
May 9th, 2003, 03:44 AM
#7
Junior Member
Now I'm intrigued.... I'll be checking out LADS 
Thank you HTRegz !
-
May 9th, 2003, 04:34 AM
#8
I believe SFind from Foundstone also "detects" hidden file streams http://www.foundstone.com/resources/...ic-toolkit.htm
Ammo
Credit travels up, blame travels down -- The Boss
-
May 9th, 2003, 05:14 AM
#9
To the person left the AP "When in doubt, use AFS".. it was a grey dot.. I don't really care which it was supposed to be.. but I wanted to address that comment.
Windows machines run NTFS or FAT32, MACs use HFS (not really sure if there's another FS they can use)... I'd love to see you get the Windows OS to run on AFS... The Andrew File System is a network file system which is fine if you just want a bunch of stored files... you can view them as network drives in Win32... however if you just want to network your MAC and your PC.. then this wouldn't be an option... and if you were using NTFS for the ADS support.. then you'd leave yourself open the ADS vulnerability.
-
May 9th, 2003, 12:45 PM
#10
You don't have to use filesharing with a mac. ADS are part of NTFS (4 and 5). So if you use NTFS (like any good sysadmin should) you are vulnerable to abuse by ADS. Even if your box is just a stand-alone machine.
What I find quite anoying about all of this is there is no way to turn this 'feature' on or off 
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote