Skip to comments.
QUESTION: Alternate Data Streams and Windows XP
Feb 28, 2012
Posted on 02/28/2012 10:30:47 PM PST by Yosemitest
QUESTION: If I delete all Alternate Data Streams I find in Windows XP, will Windows Operating System continue to work?
The more I read about Alternate Data Streams (ADS), the more I don't trust them.
I found that there are 10 Things to know about ADS.1. There is no limit on the size of streams and there can be more than one stream linked to a normal file.
ADS are not visible in explorer or via command prompt. In fact, their size is also not reported by Windows!
2. Streams can be attached not only to files but also to folders and drives!
3. The content of an ADS should not be considered limited to simply text data.
Any stream of binary information can constitute a file which includes executables, Mpeg files, Jpeg files etc.
4. ADS have no attributes of their own.
The access rights assigned to the default unnamed stream are the rights that control any operation on ADSs such as creation, deletion or modification.
This means if a user cannot write to a file, that user cannot add an ADS to that file.
A user with guest privileges can also create such streams in every file where he has write access.
5. Some Browser helper Objects (BHOs) have started storing their malicious files inside ADS and very few anti-spyware/malware actually detect it.
6. Windows File Protection prevents the replacement of protected system files; it does not prevent a user with the appropriate permissions from adding ADS to those system files.
The System File Checker (sfc.exe) will verify that protected system files have not been overwritten, but will not detect ADS.
7. Microsoft Windows provides no tools or utilities either within the operating system software distribution or the Resource Kits for detecting the presence of ADS.
8. The stream can only be executed if called directly by a program with the full path to the file given.
It is impossible to accidentally execute a stream.
9. None of the Internet protocols enabling file transfer such as SMTP, FTP etc. support streams.
This means that ADS can't be sent via Internet.
However, files containing ADS can be sent across a local LAN provided the target drive is in the NTFS format.
10. In certain cases, streams have been used to remotely exploit a web server.
Some web servers are susceptible to having their file source read via the: $DATA stream.
If a server side script such as PHP or ASP is running on a web server which is not patched properly,
instead of getting output as a result of processing the script, the source code of the ASP/PHP file could be viewed by using a URL like this: http://www.abcd.com/index.asp::$DATA
This is a critical vulnerability as the server-side source code could reveal sensitive information
including how the site has been coded and how the information is flowing.
This information could be used by the attacker to launch a specific attack on the server.
So ... I ask again:If I delete all Alternate Data Streams I find in Windows XP, will Windows Operating System continue to work?
TOPICS: Computers/Internet
KEYWORDS: ads; alternate; datastream; security; windowsxp
What do you experts suggest?
I've found
Ads Spy (
http://www.bleepingcomputer.com/files/adsspy.php)
" a tool used to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems.
ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4.
Recently browser hijackers began using this technique to store hidden information on the system,
and even store trojan executable files in ADS streams of random files on the system.
Use with caution. "
To: All
Anyone have any thoughts?
2
posted on
02/28/2012 11:20:07 PM PST
by
Yosemitest
(It's simple, fight or die!)
To: Yosemitest
Yes. I have thoughts, but until this thread, I never thought about alternate data streams. What are they, and why should we be concerned about them? Are they able to pass through firewalls and miss detection by virus scanners?
3
posted on
02/29/2012 12:36:57 AM PST
by
CitizenUSA
(Why celebrate evil? Evil is easy. Good is the goal worth striving for.)
To: CitizenUSA
I guess I should have read the post more closely.
“None of the Internet protocols enabling file transfer such as SMTP, FTP etc. support streams.”
My LAN is private, ADS cannot apparently overwrite system files, and my LAN traffic to the WAN (Internet) is firewalled. So what is the threat?
4
posted on
02/29/2012 12:43:11 AM PST
by
CitizenUSA
(Why celebrate evil? Evil is easy. Good is the goal worth striving for.)
To: CitizenUSA
I just wanted to know if I took the
Alternate Data Streams out, will Windows XP freeze up?
I guess I could try it, and if it didn't work, I could recover from my backup copy of my computer, although that's a lot of work.
Now, for you, some more information,
Hidden Threat: Alternate Data Streams Published: Mar 24, 2004 and Updated: Jul 23, 2004 by Author: Ray Zadjmool.
A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides hackers with a method of hiding root kits or hacker tools on a breached system
and allows them to be executed without being detected by the systems administrator.
When dealing with network security, administrators often times don’t truly appreciate the lengths that a sophisticated hacker would go through to hide his tracks.
Simple defacements and script kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach as an opportunity to progress further inside a network
or to establish a new anonymous base from which other targets can be attacked.
In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks.
With this, comes the need to hide the tools of his trade,
and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.
One popular method used in Windows Systems is the use of Alternate Data Streams (ADS).
A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files
without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer.
Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS;
where file information is sometimes forked into separate resources.
Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system
to store file information such as attributes and temporary storage.
Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker.
Common DOS commands like “type” are used to create an ADS.
These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.
For instance: the command continue at the source ...
It really is worth your time to read the rest of that article.
5
posted on
02/29/2012 1:22:37 AM PST
by
Yosemitest
(It's simple, fight or die!)
To: CitizenUSA
I found a utility called
AlternateStreamView that is suppose to
" allow you to scan your NTFS drive, and find all hidden alternate streams stored in the file system.
After scanning and finding the alternate streams, you can extract these streams into the specified folder, delete unwanted streams, or save the streams list into text/html/csv/xml file. "
I haven't used it yet, but I might give it a try.
6
posted on
02/29/2012 1:49:02 AM PST
by
Yosemitest
(It's simple, fight or die!)
To: Yosemitest
Use two computets. One for internet that you wipe clean every so odten. The second only goes online when you absolutely have to but only then for short time
7
posted on
02/29/2012 1:56:42 AM PST
by
gunsequalfreedom
(Conservative is not a label of convenience. It is a guide to your actions.)
To: Yosemitest
Use two computets. One for internet that you wipe clean every so odten. The second only goes online when you absolutely have to but only then for short time
8
posted on
02/29/2012 1:57:03 AM PST
by
gunsequalfreedom
(Conservative is not a label of convenience. It is a guide to your actions.)
To: Yosemitest
Use two computets. One for internet that you wipe clean every so odten. The second only goes online when you absolutely have to but only then for short time
9
posted on
02/29/2012 1:57:03 AM PST
by
gunsequalfreedom
(Conservative is not a label of convenience. It is a guide to your actions.)
To: Yosemitest
The problem with any utility downloaded from the Internet is simple. You don't know what it's going to do. For all you know, AlternateStreamView might very well install its own malware even if it does what it says. I use all three of the main operating systems, Windows, Linux, and MacOS. With MacOS, I generally won't use any program that asks me to enter my administrative password. Windows, on the other hand, is a real crap shoot. If I download a third party Windows application, I have zero idea what it's doing to my system installation while it does whatever else it's purportedly supposed to do.
10
posted on
02/29/2012 2:05:01 AM PST
by
CitizenUSA
(Why celebrate evil? Evil is easy. Good is the goal worth striving for.)
To: CitizenUSA
I know that Windows is real garbage and has caused me to buy an I-Max.
But I let my new Apple at my brother's house, about 300 miles away, thinking I'd be back in a few days to finish a project with him.
Family delayed me here and I haven't had the opportunity to go back to my brother's house and help him finish his project, and continue to use my 6 month's old I-Max.
11
posted on
02/29/2012 2:12:07 AM PST
by
Yosemitest
(It's simple, fight or die!)
To: CitizenUSA
I guess I'd have to be an experienced computer programmer in order to understand whether or not an
Alternate Data Stream to a particular file was legitimate or not.
I found
Iterating NTFS Streams by Stephen Toub that shows HOW TO RETRIEVE AND EDIT an ADS, but it's over my comprehension level.
12
posted on
02/29/2012 2:24:23 AM PST
by
Yosemitest
(It's simple, fight or die!)
To: gunsequalfreedom; CitizenUSA
Thanks for the thought.
About half way down the article I referenced earlier, is a section titled
Tools to find ADS that gives 8 utilities that can help find ADS.
You might read it, and see if it's worth your time.
13
posted on
02/29/2012 2:46:53 AM PST
by
Yosemitest
(It's simple, fight or die!)
To: Yosemitest
I don't know the answer to your question. But I do know one thing about streams.
14
posted on
02/29/2012 12:31:02 PM PST
by
Bloody Sam Roberts
(Do all He commands. Receive all He promises.)
To: Bloody Sam Roberts
15
posted on
02/29/2012 2:00:55 PM PST
by
Yosemitest
(It's simple, fight or die!)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
