home >> userland >> Exploring Alternate Data Streams

What is an Alternate Data Stream (ADS)?

TOP

Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools. It is used legitimately by Windows and other applications to store additional information (for example summary information) for the file. Even 'Internet Explorer' adds the stream named 'Zone.Identifier' to every file downloaded from the internet.

Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.

Playing with ADS

TOP

It is easy to create alternate data streams for the file or folder. Here are the simple commands (use the cmd prompt to launch these commands)

Create simple text stream,
type c:\test.txt > c:\windows\system32\calc.exe:test.txt

View it using the notepad
c:\notepad.exe c:\windows\system32\calc.exe:test.txt

Hiding the rootkit.exe as stream within the windows calculator,
type c:\rootkit.exe > c:\windows\system32\calc.exe:rootkit.exe'

Here is the screenshot showing the above steps in execution....


*To zoom in - click the image*

Note that there is no change in the size of calc.exe even after adding the stream file to it.


Program to Enumerate Streams

TOP

Here is the short demo program which enumerates all the streams within the given file or folder.

void EnumStreams(char *strFilePath)
{
PVOID streamContext = 0;
DWORD dwReadBytes, seek_high;
WIN32_STREAM_ID streamHeader;
WCHAR strStreamName[MAX_PATH];
char strBuffer[1024];


HANDLE hFile = CreateFileA( strFilePath,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS,
NULL );

if( hFile == INVALID_HANDLE_VALUE )
{
printf("%s : Failed to open the file %s,
Error=0x%.8x", __FUNCTION__, strFilePath, GetLastError());

return;
}

while(1)
{
//check if we have reached the end of file....
if ( FALSE == BackupRead(hFile,
(LPBYTE)&streamHeader,
(LPBYTE)&streamHeader.cStreamName-(LPBYTE)&streamHeader,
&dwReadBytes,
FALSE,
FALSE,
&streamContext) )
{
break;
}

//check if we have read the stream header properly...
if( (long)dwReadBytes != (LPBYTE)&streamHeader.cStreamName-(LPBYTE)&streamHeader )
break;

//we are interested only in alternate data streams....
if(streamHeader.dwStreamId == BACKUP_ALTERNATE_DATA)
{
if (streamHeader.dwStreamNameSize != 0 )
{
if( BackupRead(hFile,
(LPBYTE)strStreamName,
streamHeader.dwStreamNameSize,
&dwReadBytes,
FALSE,
FALSE,
&streamContext) )
{
strStreamName[streamHeader.dwStreamNameSize/2]=L'\0';

//Reformat the stream file name ... :stream.txt:$DATA
sprintf_s(strBuffer, 1024, "%S", &strStreamName[1]);
char *ptr = strchr(strBuffer, ':');
if( ptr != NULL )
*ptr = '\0';

printf("\n Found Stream - %s", strBuffer);

}
}
}

// jump to the next stream header
if (BackupSeek(hFile, ~0, ~0, &dwReadBytes, &seek_high, &streamContext) == FALSE)
{
//for any errors other than seek break out of loop
if (GetLastError() != ERROR_SEEK)
{
// terminate BackupRead() loop
BackupRead(hFile, 0, 0, &dwReadBytes, TRUE, FALSE, &streamContext);
break;
}

streamHeader.Size.QuadPart -= dwReadBytes;
streamHeader.Size.HighPart -= seek_high;

BYTE buffer[4096];

while(streamHeader.Size.QuadPart > 0)
{
if (dwReadBytes!=sizeof(buffer) || !BackupRead(hFile,
buffer,
sizeof(buffer),
&dwReadBytes,
FALSE,
FALSE,
&streamContext) )
{
break;
}
streamHeader.Size.QuadPart -= dwReadBytes;
}
}
} //main while loop

//Finally clean up the buffers use for seeking
if (streamContext)
BackupRead(hFile, 0, 0, &dwReadBytes, TRUE, FALSE, &streamContext);

CloseHandle(hFile);

return;
}

Above program initially opens the input file using the FILE_FLAG_BACKUP_SEMANTICS for reading streams. Next it calls the BackupRead function to read the stream header. If the header contains the flag BACKUP_ALTERNATE_DATA then it points to a hidden stream file. In such a case it proceeds to reading the stream file name which is present after the stream header. After that it moves file pointer to next stream header through BackupSeek function.

The same process is repeated until all streams present in the specified files are discovered. Also note that the same program can be used to detect streams within folder as well.

Well Known Alternate Data Streams

TOP

There are numerous applications including Windows which internally use alternate data streams for various purposes. Here are some of the well known streams....

  • SummaryInformation
    This stream is created by Windows when user updates the summary information for the file.

  • DocumentSummaryInformation
    This stream is created by Windows when user updates the summary information for the file.

  • {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    This is stream with zero size created by Windows when user updates the summary information for the file.

  • Zone.Identifier
    This is another well known stream created by Internet Explorer for every downloaded file. It is basically text stream with size normally less than 50 bytes.

  • encryptable
    This is a stream with zero size attached to the file 'Thumbs.db'.

  • favicon
    This is icon stream attached to the favorite links stored by Internet Explorer.

  • AFP_AfpInfo
    This is stream of icon type belongs to Macintosh system.

In addition to legitimate programs, it is also being used by malicious Rootkit programs such as Mailbot.AZ, Trojan.Win32.Agent.alt etc to hide their drivers.

Tools to detect ADS

TOP

Due to nature of ADS, normal file browser tools cannot detect these hidden streams. We need special tools to discover and manipulate these streams. There are many ADS tools available, but most of them resort to only enumerating streams. Most of these are console based tools which are good for automation but not much useful for home users.

Here comes the new advanced tool, StreamArmor which can quickly scan for hidden alternate data streams as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams.



Conclusion

TOP

In short, ADS not only makes it easy for Rootkit programs to hide themseleves but also provides the covert launch pad to execute stealthily without making noise. Only sophisticated tools such as StreamArmor will greatly help in uncovering and destroying such hidden threats.

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat4560
dwtf3674
KsiD3202
SHC2388

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets