Common DOS commands like "type","echo" are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.
Example:
“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”
(or)
echo "ads stream" > calc.exe:mystream
will fork the common windows calculator program with an ADS “anyfile.exe.”
Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Once injected, the ADS can be executed by using traditional commands like type, more or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to.
Creating an Alternate Data Stream:
C:\>echo Hidden text > test.txt:hidden
The file appears to be empty, though as detailed below, the metadata is intact and associated with the file:
C:\test>dir test.txt
06/01/2011 01:33 PM 0 test.txt
Viewing an Alternate Data Stream:
The metadata can be viewed by redirecting from it to more:
C:\test>more < test.txt:hidden
Hidden text
The name and content of the ADS can be anything :
C:\test>echo Arbitrary string > test.txt:arbitraryName
C:\test>more < test.txt:arbitraryName
Arbitrary string
Listing Files With Alternate Data Streams:
On Windows Vista and later, a list of alternate data streams can be obtained using 'DIR /R' :
C:\test>dir test.txt /R
06/01/2011 01:33 PM 0 test.txt
38 test.txt:arbitraryName:$DATA
28 test.txt:hidden:$DATA
On earlier operating systems, the SysInternals utility Streams can be used:
C:\test>c:\tools\SysInternals\streams.exe test.txt
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\test\test.txt:
:arbitraryName:$DATA 38
:hidden:$DATA 28
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to.
Creating an Alternate Data Stream:
C:\>echo Hidden text > test.txt:hidden
The file appears to be empty, though as detailed below, the metadata is intact and associated with the file:
C:\test>dir test.txt
06/01/2011 01:33 PM 0 test.txt
Viewing an Alternate Data Stream:
The metadata can be viewed by redirecting from it to more:
C:\test>more < test.txt:hidden
Hidden text
The name and content of the ADS can be anything :
C:\test>echo Arbitrary string > test.txt:arbitraryName
C:\test>more < test.txt:arbitraryName
Arbitrary string
Listing Files With Alternate Data Streams:
On Windows Vista and later, a list of alternate data streams can be obtained using 'DIR /R' :
C:\test>dir test.txt /R
06/01/2011 01:33 PM 0 test.txt
38 test.txt:arbitraryName:$DATA
28 test.txt:hidden:$DATA
On earlier operating systems, the SysInternals utility Streams can be used:
C:\test>c:\tools\SysInternals\streams.exe test.txt
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\test\test.txt:
:arbitraryName:$DATA 38
:hidden:$DATA 28
ref: