Sometimes during automated malware analysis in a sandbox (i.e. Cuckoo), we can get in the report the following information: “creating alternate data streams”. It is related with an interesting feature of NTFS file system, that can be used for hidden channels of storing and exchanging information.
ADS are from an era when we had resource forks in HFS (Macintosh Hierarchical File System) and the idea was that files would “carry” everything with them, possibly even the application needed to open them, or the fonts needed to view them in many ways this was a beautiful design and idea which sadly never came to fruition. For example a text file could have carried its translations in ADS, a Braille version, RTF and TXT, etc. but also its images in various resolutions depending on screen DPI. All without cluttering the “main view” or those gigantic Word files. – via @cynicalsecurity
In FAT file system – used by old versions of windows – file consisted of 2 elements: attributes and data.
In NTFS it i different – file consists of attributes, security settings, main stream and alternate streams. By default, only the main stream is visible.
Let’s see how it works by creating a sample file: test.txt. At this moment it’s main stream will be empty. However, we will create an alternte data stream. We can write into it using echo command and simple stream redirection.
optionally we can use ::$DATA at the end, i.e:
Let’s list the directory and see the newly created file (test.txt)
As we can notice, the file length is displayed as 0 bytes. If we try to open this file by some text editor (i.e notepad) we can see that it is empty. Does it really have something inside? Let’s confirm:
Now, finally, our text showed up.
So, how we will find out what are the alternate data streams available in particular files? There are several tools dedicated to reading and editing ADS, but if we don’t want to bother about it, we can just use a command dir, with an appropriate parameter:
Now we can see the same file, test.txt, listed twice: once with a size 0, and then again – with the size 35, with the ADS name added.
We can edit the file in a normal way, and the alternative stream will stay untouched. By the same way we can create several streams.
File in file using ADS
We can also hide another file on the alternate data stream. On the below example – we create a new txt file on another. We can then edit it with typical tools:
Yet, opening the file by default way, we can only see it’s main stream:
We can also paste an existing file on an alternate data stream, by using a command type
Let’s take as an example a demo.dll – it is a 32bit Portable Executable, exporting one function: Test1. We will place it in the alternate stream of test.txt
Maybe the alternate stream it is hard to notice – but running it is still very easy:
Exactly the same can be done with (malicious) macros:
type malware.vbs > readme.txt:malware.vbs Wscript readme.txt:malware.vbs
One of the legitimate usages of alternate data streams is Zone.Identifier. It is a feature used to identify the file origin. In case if the file comes from some untrusted source, i.e. have been downloaded from the internet, Windows displays a security warning before it can be run.
There are several variants of Zone.Identifier value:
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
Sample content of Zone.Identifier of the file downloaded from the internet:
Malware downloaders may edit Zone.Identifier of the downloaded file, in order to make it run without displaying alert.
ADS and PowerShell
PowerShell comes with a built-in feature to read ADS. There are several commands that can be used to read and edit them:
Listing all the streams of a file:
Get-Item -Path [filename] -Stream *
Adding hidden message into ADS:
Add-Content -Path [filename] -Value [my hidden message] -Stream [new_stream]
Creating ADS from commandline:
echo This is a hidden message > testfile.txt:hidden_stream
Displaying files with their alternative data streams:
Displaying stream of a file:
more < testfile.txt:hidden_stream::$DATA
- https://technet.microsoft.com/en-us/sysinternals/streams.aspx – Streams – tools from SysInternals to view ADS
- https://msdn.microsoft.com/en-us/library/ms537021%28v=VS.85%29.aspx – URL security zones
- https://winitor.com/pdf/NtfsAlternateDataStreams.pdf – presentation about Windows Alternate Data Streams