Can someone tell me a legitimate purpose for the Windows’ alternate data stream?
Let’s start by looking at Wikipedia’s description of ADS:
Alternate data streams allows files to be associated with more than one data stream. For example, a file such as text.txt can have an ADS with the name of text.txt:secret (of form filename:streamname) that can only be accessed by knowing the ADS name or by specialized directory browsing programs. Alternate streams are not detectable in the original file’s size… While ADS is a useful feature, it can also easily eat up hard disk space if unknown either through being forgotten or not being detected.
Sounds like a pretty useful feature. Virii(yes, ii) that infect .exe files are common, but all leave the tell tail sign of increasing the file size of the infected executable. Think about the beauty of a Win32 ADS virus that accomplished the following:
Virus.exe starts by compiling a list of all .exes in the c:\windows directory and does the following for each it finds:
- Get file size of somefile.exe. Extract somefile.exe’s icon resource.
- Move somefile.exe to original.exe.bak.
- Copy virus.exe to somefile.exe’s old filename and location. If our new virused somefile.exe is less bytes than the original somefile.exe append null bytes to the end of the executable to make it the same size. Also, set icon of our virused somefile.exe to the icon reource extracted from step 1.
- Next, Move original.exe.bak that we created in step 2 to somefile.exe’s alternate data stream, name it original.exe. (somefile.exe:original.exe).
- Now, our virus code (virus.exe) that we replaced original.exe with in step 3 has the following properties when executed:
[ do malware stuff ]
[ execute <CURRENT_FILE_NAME>:original.exe ]
[ quit ]
When I compare the list of legitimate uses for the ADS to malicious ones (how about a virus that fills up the victims harddrive by writing random bits to an arbitrary file’s ADS?) I don’t know how Microsoft justifies this “feature.” Comments are welcome.
If the above was at all confusing, or you’re new to ADS, play around with the following tutorial and then it should make sense.
Tutorial: Copying calc.exe to notepad.exe’s alternate data stream
1. Copy the notepad and calc applications to a test directory. We’ll pretend calc.exe is the malware.
Note the size of notepad.exe.
2. Attempt to copy malware(calc.exe) to the alternate data stream of notepad.exe.
Oh no, Windows has prevented us from copying our malware! Good thing we can still use the CopyFile WinApi function. Let’s write a 10 second script to accomplish this.
Save the following as test.vbs and then execute it:
Set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile "c:\test\calc.exe", "c:\test\notepad.exe:calc.exe",TRUE
3. Note the file size of notepad.exe, it should be unchanged. Let’s attempt to launch our hidden malware, by typing “run c:\test\notepad.exe:calc.exe”
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment