Introduction to ADS – Alternate Data Streams

Sometimes during automated malware analysis in a sandbox (i.e. Cuckoo), we can get in the report the following information: “creating alternate data streams”. It is related with an interesting feature of NTFS file system,  that can be used for hidden channels of storing and exchanging information.

Historical context

ADS are from an era when we had resource forks in HFS (Macintosh Hierarchical File System) and the idea was that files would “carry” everything with them, possibly even the application needed to open them, or the fonts needed to view them in many ways this was a beautiful design and idea which sadly never came to fruition. For example a text file could have carried its translations in ADS, a Braille version, RTF and TXT, etc. but also its images in various resolutions depending on screen DPI. All without cluttering the “main view” or those gigantic Word files. – via @cynicalsecurity

Introduction

In FAT file system – used by old versions of windows – file consisted of 2 elements: attributes and data.

In NTFS it i different – file consists of attributes, security settings, main stream and alternate streams. By default, only the main stream is visible.

Let’s see how it works by creating a sample file: test.txt. At this moment it’s main stream will be empty. However, we will create an alternte data stream. We can write into it using echo command and simple stream redirection.
Naming convention:
[filename.extension]:[alternate_stream_name]

optionally we can use ::$DATA at the end, i.e:
[filename.extension]:[alternate_stream_name]::$DATA

echo This message is saved in the ADS > testfile.txt:hidden_stream

echo This message is saved in the ADS > test.txt:hidden_stream

Let’s list the directory and see the newly created file (test.txt)

dir

dir

As we can notice, the file length is displayed as 0 bytes. If we try to open this file by some text editor (i.e notepad) we can see that it is empty. Does it really have something inside? Let’s confirm:

more < test.txt:hidden_stream

more < test.txt:hidden_stream

Now, finally, our text showed up.

So, how we will find out what are the alternate data streams available in particular files? There are several tools dedicated to reading and editing ADS, but if we don’t want to bother about it, we can just use a command dir, with an appropriate parameter:

dir_help

dir /R – display alternate data streams of the file

dir_r

Now we can see the same file, test.txt, listed twice: once with a size 0, and then again – with the size 35, with the ADS name added.

We can edit the file in a normal way, and the alternative stream will stay untouched. By the same way we can create several streams.

two_streams

File in file using ADS

Example 1

We can also hide another file on the alternate data stream. On the below example – we create a new txt file on another. We can then edit it with typical tools:

hidden_channel

alternate

Yet, opening the file by default way, we can only see it’s main stream:

default

Example 2

We can also paste an existing file on an alternate data stream, by using a command type

Let’s take as an example a demo.dll – it is a 32bit Portable Executable, exporting one function: Test1. We will place it in the alternate stream of test.txt

type demo.dll > test.txt:demo

type demo.dll > test.txt:demo

Maybe the alternate stream it is hard to notice – but running it is still very easy:

running_demo

rundll32 test.txt:demo,Test1

Example 3
Exactly the same can be done with (malicious) macros:

type‬‬ ‫‪malware.vbs‬‬ > ‫‪readme.txt:malware.vbs‬‬
‫‪Wscript‬‬ ‫‪‫‪readme.txt:malware.vbs‬‬

Zone.Identifier

One of the legitimate usages of alternate data streams is Zone.Identifier. It is a feature used to identify the file origin. In case if the file comes from some untrusted source, i.e. have been downloaded from the internet, Windows displays a security warning before it can be run.

There are several variants of Zone.Identifier value:

0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

file.exe:Zone.Identifier

Sample content of Zone.Identifier of the file downloaded from the internet:

[ZoneTransfer]
ZoneId=3

Malware downloaders may edit Zone.Identifier of the downloaded file, in order to make it run without displaying alert.

ADS and PowerShell

PowerShell comes with a built-in feature to read ADS. There are several commands that can be used to read and edit them:

  • Get-Item
  • Set-Item
  • Remove-Item
  • Add-Content
  • Get-Content
  • Set-Content

Examples

Listing all the streams of a file:

Get-Item -Path [filename] -Stream *

Adding hidden message into ADS:

Add-Content -Path [filename] -Value [my hidden message] -Stream [new_stream]

Cheatsheet

Creating ADS from commandline:

‫‪echo This is a hidden message > testfile.txt:hidden_stream

Displaying files with their alternative data streams:

dir /r

Displaying stream of a file:

more < testfile.txt:hidden_stream::$DATA

Appendix

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Malware, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s