Until the potential for exploitation became known, Alternate Data Streams (ADS) were a fairly obscure feature of NTFS (New Technology File System.). Alternate Data Streams enable data to be stored in hidden files that can be attached to otherwise normal, visible files. Multiple Alternate Data Streams can be attached to one file; there is no limit to file size. This feature presents a security risk because: - Alternate Data Streams provide hackers with a means by which to hide rootkits, Trojans and other Malware in the file system.
- Alternate Data Streams are easy to use, even by relatively unskilled hackers, but extremely difficult to detect.
- Alternate Data Streams in and of themselves cannot be deleted. The user must delete the parent file to which it is attached.
- Alternate Data Streams can be executed without being detected by the systems administrator. When instantiated, the Alternate Data Streams executables will appear to run as the original file.
- Alternate Data Streams can fork file data into existing files without Windows file-browsing functions such as command line prompts or Windows Explorer determining their presence or their disk space usage.
Not all Alternate Data Streams are malicious. They are used legitimately by a variety of programs to store metadata, file information such as attributes, and for temporary storage. |