COMPUTER QUESTION: How Do You Find Out What Alternate Data Streams Are Legitimate In Windows XP SP3

March 1, 2012

[Yosemitest]

QUESTION: How Do You Find Out What Alternate Data Streams Are Legitimate In Windows XP SP3 ?

OR

If I delete all Alternate Data Streams I find in Windows XP, will Windows Operating System continue to work?

The more I read about Alternate Data Streams (ADS), the more I don't trust them.

I found that there are 10 Things to know about ADS.
1. There is no limit on the size of streams and there can be more than one stream linked to a normal file.
ADS are not visible in explorer or via command prompt. In fact, their size is also not reported by Windows!

2. Streams can be attached not only to files but also to folders and drives!

3. The content of an ADS should not be considered limited to simply text data.
Any stream of binary information can constitute a file which includes executables, Mpeg files, Jpeg files etc.

4. ADS have no attributes of their own.
The access rights assigned to the default unnamed stream are the rights that control any operation on ADSs such as creation, deletion or modification.
This means if a user cannot write to a file, that user cannot add an ADS to that file.
A user with guest privileges can also create such streams in every file where he has write access.

5. Some Browser helper Objects (BHOs) have started storing their malicious files inside ADS and very few anti-spyware/malware actually detect it.

6. Windows File Protection prevents the replacement of protected system files; it does not prevent a user with the appropriate permissions from adding ADS to those system files.
The System File Checker (sfc.exe) will verify that protected system files have not been overwritten, but will not detect ADS.

7. Microsoft Windows provides no tools or utilities either within the operating system software distribution or the Resource Kits for detecting the presence of ADS.

8. The stream can only be executed if called directly by a program with the full path to the file given.
It is impossible to accidentally execute a stream.

9. None of the Internet protocols enabling file transfer such as SMTP, FTP etc. support streams.
This means that ADS can't be sent via Internet.
However, files containing ADS can be sent across a local LAN provided the target drive is in the NTFS format.

10. In certain cases, streams have been used to remotely exploit a web server.
Some web servers are susceptible to having their file source read via the: $DATA stream.
If a server side script such as PHP or ASP is running on a web server which is not patched properly,
instead of getting output as a result of processing the script, the source code of the ASP/PHP file could be viewed by using a URL like this:
http://www.abcd.com/index.asp::$DATA
This is a critical vulnerability as the server-side source code could reveal sensitive information
including how the site has been coded and how the information is flowing.
This information could be used by the attacker to launch a specific attack on the server.


Now, for you, some more information, Hidden Threat: Alternate Data Streams Published: Mar 24, 2004 and Updated: Jul 23, 2004 by Author: Ray Zadjmool.
A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides hackers with a method of hiding root kits or hacker tools on a breached system
and allows them to be executed without being detected by the systems administrator.

When dealing with network security, administrators often times don’t truly appreciate the lengths that a sophisticated hacker would go through to hide his tracks.
Simple defacements and script kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach as an opportunity to progress further inside a network
or to establish a new anonymous base from which other targets can be attacked.

In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks.
With this, comes the need to hide the tools of his trade,
and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.

One popular method used in Windows Systems is the use of Alternate Data Streams (ADS).
A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files
without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer.
Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS;
where file information is sometimes forked into separate resources.
Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system
to store file information such as attributes and temporary storage.

Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker.
Common DOS commands like “type” are used to create an ADS.
These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.

For instance: the command continue at the source ...

It really is worth your time to read the rest of that article.

I guess I'd have to be an experienced computer programmer in order to understand whether or not an Alternate Data Stream to a particular file was legitimate or not.
I found Iterating NTFS Streams by Stephen Toub that shows HOW TO RETRIEVE AND EDIT an ADS, but it's over my comprehension level.




So ... I ask again:

How Do You Find Out What Alternate Data Streams Are Legitimate In Windows XP SP3 ?

[Yosemitest]

What do you experts suggest?
I've found Ads Spy (http://www.bleepingcomputer.com/files/adsspy.php)

" a tool used to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems.
ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4.
Recently browser hijackers began using this technique to store hidden information on the system,
and even store trojan executable files in ADS streams of random files on the system.
Use with caution. "

[discostu]

By and large you don’t. If your file is legit and non-hacked it won’t be using any bad ADS, if it isn’t you’re already screwed.

[Yosemitest]

Okay. Let me reverse the question.

How do you find out if an ADS is bad?

[discostu]

Probably the file or the traffic it’s generating will ping on good (not Norton) anti-virus software.

[kingu]

Nothing in ADS streams is critical to the functioning of Windows. It may be critical to some programs.

On the whole, however, it’s a worry about something that doesn’t affect you. I think the last ‘in the wild’ ADS bug was 2004? Somewhere around there. Too hard for the script kiddies to use, and required adaptive programming as what might work on one version wouldn’t work on another.

[Yosemitest]

Sounds hopeful.
But a determined liberal wanting to take down and silence someone, might use ADS to infect a poster though e-mail.
What would you do? Would Comodo Complete be secure enough?

[TalonDJ]

Only if your tinfoil hat is secure.

Don't give out your email randomly and don't open spam from people you don't know. Beyond that... take your paranoia meds. There are dozens of ways someone with a lot of skills my hack your PC. But don't get too full of yourself. Hacking one single poster because your don't like a post is like punching a single raindrop because the rain is hitting you in the head. No one woud do it because it is a waste of time. You are more likely to get hit by a drunk driver. Relax.

[Yosemitest]

I'll think about relaxing.
But look at the problems FR has had saying up and online lately.
From what I've read, a lot of damage can be done thru ADS.

[kingu]

The long and short of it is: Yes, it CAN happen. It is also the least likely exploit system to work, as there’s seven different flavors of ADS. You have only the same permissions as the enacting function; not like a payload program that is in the startup sequence. It is the least functional place to do it as well, as other exploits allow you access to all of the filesystem.

Does this make it useful for a hacker to exploit? Maybe - to target a specific machine in a specific location with a specific attack, knowing the flavor of OS and everything else, it MIGHT be a useful vector, but it would also be the LEAST useful vector. At some point you’re going to be transferring from your payload program to the ADS datablock, and that’s where the virus scanner will pick up the code.

Honestly, rather than mess with this stuff, I’d certainly put Linux on a USB dongle, boot up the computer in Linux, and then e-mail any and all critical files to an email account, and then reformat and use a more secure OS.

[kingu]

I'll think about relaxing. But look at the problems FR has had saying up and online lately. From what I've read, a lot of damage can be done thru ADS.

This is post 2,843,204 - the vast majority of the entire history of FreeRepublic is in the same database. Databases on that scale under this load are, well, taxing to any system, and it is the weight that holds down the system on the present hardware. (I'm not a fan on solving problems through bigger hardware, but it works here.)

As for an e-mail vector to attack FreeRepublic, I'd doubt there is any chance of that happening. The server is in a data center, no one is at the terminal accessing e-mail, and even if they did, it is not a Windows type environment where a number of exploits would be possible (including ADS.)