NTFS ADS Viruses

The NT File System allows alternate data streams to exist attached to files but invisible to some file-handling utilities. A virus can exploit such a system.

The NT File System (NTFS) contains within it a system called Alternate Data Streams (ADS). This subsystem allows additional data to be linked to a file. The additional data, however, is not always apparent to the user. Windows Explorer and the DIRectory command do not show you the ADS; other file tools (e.g., COPY and MOVE) will recognize and process the attached ADS file.

The basic notation of an ADS file is <filename>:<ADSname>. A simple example that creates an ADS file is probably the best way to illustrate this. At the system prompt use the ECHO command to create a file and then you can also use ECHO to create an ADS attachment to that file (if doing this, create a directory/folder specifically for the test).

ECHO “This is the test file” > testfile.txt

You should now have a file called TESTFILE.TXT in your test directory. The TYPE, EDIT, and NOTEPAD commands should be able to access this file and show you its contents and a directory command will show it to be about 23 bytes long. The TESTFILE.TXT file was created in what’s called the “named stream” portion of the file system. Now create an alternate data stream file:

ECHO “This is text in the ADS file” > testfile.txt:teststream1.txt

Note that this new file is in the format described above: <filename>:<ADSname>.

But, now try to find this new file. A directory command does not show it; the TYPE and EDIT commands won’t find it. The command…

NOTEPAD testfile.txt:teststream1.txt

…will bring it into the editing area; but even NOTEPAD will only read the file; you can’t do a File|SaveAs and try to create an ADS file with NOTEPAD. Most other programs will not see the ADS file at all. You should also note that you’ve added about 30 bytes to the original file but a directory command on testfile.txt only shows the original size. The ADS file is effectively hidden from view.

Further, an alternate stream file can be created that has no normal stream file association. Here is why it’s suggested you try these experiments in a test directory. Try:

ECHO “This is a really invisible stream file.” > :invisible.txt

This file will be created but will be completely invisible to any directory commands or Windows Explorer.

Finally, you may have some trouble trying to delete the stream files you just created. The DEL command does not work with ADS files so DEL :invisible.txt, for example, does not work. The main way to delete alternate stream files associated with a normal stream file is to delete the normal stream file. All ADS files associated with that file will also be deleted. So DEL testfile.txt would have to be used for the first test file created. The :invisible.txt file will be deleted when the directory the file is in is removed (now you see why CKnow said to use a new directory for your testing).

If you need to keep the main file but delete the stream(s) attached to it there are two ways to proceed:

  • Copy the file to a FAT or FAT32 partition and then back again to the NTFS partition. This effectively strips the ADS files off of the primary file.
  • Use the NT Resource Kit CAT utility. You’ll have to rename the file, use CAT on it, and then delete the temporary file you created. The syntax would be:

REN needtokeep.exe temp.exe
CAT temp.exe > needtokeep.exe
DEL temp.exe

Note: Alternate Data Streams can attach to a directory as well as a file. Some rootkits (e.g., MailbotWeb Link) establish themselves in this way.

Virus Use

An alternate stream file can be an executable and executed in a variety of ways. For our purposes here the files can be exploited by viruses that make their way into files saved as part of the normal stream. In one such exploit the virus (Streams) creates a copy of itself as a temporary EXE file and then copies the original EXE file as an ADS file attached to the temporary EXE file. The temporary EXE file is then renamed to the original EXE name. Now, when the user tries to run the original file they actually run the virus which does its thing and then sends the original program file to the operating system which then runs the program. The only thing you might see is a slight delay in program start.

For a virus like Streams you should not just delete an infected file. If you do the original file will also be lost as it’s attached. If your anti-virus software does not provide a recovery utility you will have to use the CAT utility in a manner similar to that described above:

CAT filename.exe:STR newname.exe (this copies the original file to “newname.exe”)

COPY /B newname.exe filename.exe (this copies “newname.exe” back to its original name and overwrites the virus)

The virus can be operating system specific. Streams, for example, checks for Windows 2000 and only runs if it’s found.

There are other ways a virus might use an alternate data stream. It could, for example, hide most of its code attached to files not normally scanned by virus scanners (e.g., INI or other text files). Only a small executable that extracts the virus would have to be visible and might be easier to hide. There are more malicious things a virus could do as well (please don’t ask).

In 2009, the alternate data stream was used by a click fraud Trojan named FFSearcherWeb Link. It used the stream name “Zone.Identifier” which is a stream name that Microsoft uses to mark executable files downloaded by Internet Explorer. Instead of a simple zone identifier however, the Trojan implanted a DLL file that contained the Trojan’s code. The file attacked was netcfgx.dll which is used for network configuration. The registry was changed to point to the ADS DLL instead so it ran instead of the normal DLL file. The Trojan affected Google Search results; users would see no difference but the Trojan would have directed the results through a website that siphoned the commissions to themselves. The results were generally not noticed by users as they are subtle.

Summary

  • The NT File System allows alternate data streams to exist attached to files but invisible to some normal file-handling utilities.
  • Viruses can exploit the NTFS ADS system in a variety of ways.
Up Arrow How Viruses Infect Up Arrow
Prior Page Next Page
Metamorphic Viruses Buffer Overflow