Can someone tell me a legitimate purpose for the Windows’ alternate data stream?
Let’s start by looking at Wikipedia’s description of ADS:
Alternate data streams allows files to be associated with more than one data stream. For example, a file such as text.txt can have an ADS with the name of text.txt:secret (of form filename:streamname) that can only be accessed by knowing the ADS name or by specialized directory browsing programs. Alternate streams are not detectable in the original file’s size… While ADS is a useful feature, it can also easily eat up hard disk space if unknown either through being forgotten or not being detected.
Sounds like a pretty useful feature. Virii(yes, ii) that infect .exe files are common, but all leave the tell tail sign of increasing the file size of the infected executable. Think about the beauty of a Win32 ADS virus that accomplished the following: