Reveal and Remove Alternate Data Streams
Our ADS Revealer reveals possible malicious alternate data stream (ADS) files in your Microsoft Windows system. ADS files allow more than one stream to be associated with a filename and were introduced in Windows NT 3.1 to enable Services for Macintosh (SFM) to store resource forks. Current versions of Windows Server no longer include SFM, but third-party Apple Filing Protocol (AFP) products, such as GroupLogic's ExtremeZ-IP, still use this feature of the file system. Very small ADS files (called Zone.Identifier) are also added by Internet Explorer and other browsers to identify questionable downloaded files and require user confirmation before opening them.
The Potential Dangers of Alternate Data Streams
- Malware Vectors: Some types of malware can hide inside the ADS of legitimate files. You may never know they are there and many reputable antivirus programs cannot detect them. ADS files can be used to store important malware information mask its activities, such as malicious plugins files, keylogger logs, and webcam or desktop captures. The infamous PoisonIvy remote access trojan (RAT) and DarkComet RAT used this technique to hide their plugins.
- Overloading Hard Drive Memory: ADS files are not visible via File Explorer, but they physically exists on your hard drive. Some types of viruses can fill your disk with so much junk as to make the system virtually unusable.
For more about ADS files, read this excellent paper by Marc Ochsenmeier.
Detecting and Removing Malicious ADS Files
ADS files are not visible via normal inspection of your file system. Microsoft provides a tool called Streams for viewing streams on a selected volume and, with Windows PowerShell 3.0, it is possible to manage them locally, but as hackers have used alternate data streams to hide code, it is now necessary to have a malware tool that scans for ADS files and allows you to determine whether or not they are malicious.
ADS Revealer by Phrozen Software scans and detects ADS files for physical, virtual, physical removable, and virtual removable hard drives on NTFS systems. If ADS Files are detected during the scan, you can decide whether to keep them, delete them, or back them up. You can also preview the file content preview to determine if it looks legitimate. Phrozen ADS Revealer is the perfect tool for sanitizing your NTFS file systems against bloated content or hidden malware.
Demonstration of an ADS Exploit
To demonstrate how an ADS exploit works, we made the following video. It shows how ADS files can be used to run application files with the following commands:
type C:\windows\system32\notepad.exe > c:\windows\system32\calc.exe:notepad.exe
Since the introduction of Windows 7, hackers cannot use this technique directly. However, after a few simple tests, we found a simple way to remove this restriction with the Rundll32.exe application that runs code directly from a command line. As a result, hackers can compile malware as a DLL file and run it covertly from an ADS file using a signed and trusted process (RunDll32.exe).
In the video, we code a snippet in Python to encode a DLL file in a Visual Basic array of decimal values (containing the binary code of the DLL). We then generate the Visual Basic Script loader file used to extract this array to the ADS file location and use the Rundll32 process to execute it.