ADS streams used by Windows

Hi-

I just used Hijack this to look for ADS streams and there only seemed to be two types present.

1) It looks as though all Thumbs.db files (thumbnail caches) each have one with the size reported to be 0 kb.

2) this one: K:\WINDOWS :  (108 bytes)s)


That's right, It's name is represented by a box!

I'm pretty sure it's ok to delete it, but any clues what it is for?



-HandsOff

 

there's some nice stuff about ads at these links which might help.
http://www.irongeek.com/i.php?page=security/altds
http://twatech.org/shows.php?ep=106

the box probably means it's from a charactor set you don't have

 

Yeah, you might be right, though I'd think the program would provide it if it were not a system font.

Well, I'll continue to say what is bothering me. The term "safe to delete". Because as far as I know all ADS streams are safe to delete (I haven't looked at the link yet, though). So my next thought is, maybe those are infact streams that Kaspersky is using (they have used ADS in the past, but it is not mentioned). Before I continue following this thought, I guess I should see what the link has to offer!

Thanks for the response!


-HandsOff

The mystery continues, "...(on blanket deleting using -d switch) I wouldn't advise it if you don't know what you're doing..."

Really? Why? What can you break?

 

I still haven't figgered out ADS. Several times I've done scans for them with AdAware or Spybot S&D (or HJT, come to think of it), and each time all that turned up was "hooked" to midi files.

 

Hi Mike-


I must be in the Twilight Zone again! I thought I had posted an additional sentence in my last post, but I don't see it now. (It was an edit, so I probably hit cancel by mistake, I guess) I wanted to say:

As far as I know it is safe to delete them ALL because I have done it before and nothing blew up.

Well, I do know a little more about ADS Streams and what I know is almost unbelieveable. You have to look at a couple of those threads that Iceni60 left to get an idea of the scope of the threat.

Im very surprised at the result of your scans - Are you scanning specifically for ADS Streams, or just noting one's that are reported as being suspicious?

There is a nomenclature (disinformation?) thing out there that obfuscates things a bit, and may explain your MIDI files (are you editing music, creating music files?). Anyway, numerous programs refer to things like "comments" or "search words", or whatever, to discribe the creation of an ADS stream to whatever the file. This seems to be somewhat popular with image organization tools. I don't use the feature (although it would be great) because I have not figured out a reasonable way to be sure that the files aren't used to hide maliciousl executables.

The view we have that you have a file and in a few cases they have alternated data streams attatched to them is way oversimplified. I have sort of figured out how to find them, and sort of figured out how to read the contents...only...I'm not very sure that this information is complete.

It is really fascinating though, in that this thing has got to be a ticking time bomb. With little effort executables and commands and scripts can be placed in files that most people neither could see, nor have any idea they are there! That's why I just erase them all...

Enter SP2. (which I thought you had) SP2 suppossedly marks all the files that you download from the internet zone. Boy, aren't you lucky!!!

- You didn't know they did this
- You cannot see this feature in windows at all (except by heroic effort)
- You method of checking did not uncover this (unless you have no files that were downloaded, or something?)
- NOW: aren't you glass M$ is sprucing up security for you?
- Also you should be seeing cryptic ADS messages if you have thumbnails stored in any of your folder.

One last comment, you supposedly can download and extension for windows explorer that "Let's you view ADS Streams in Windows Explorer's user interface." My first thought is, of course, what do they mean by allow you to view? I suppose one of us had better check, and I was hoping it would be you!!!

I predict it will just give you some useless symbol that means and ADS Stream is present (which technically is true of all NTFS files on your internal hard drives in Windows XP). It's another jargon slight of hand is what I am thinking. Very few know about ADS. Much fewer know how to manage them. They have been in NTFS in one form or another for many years. There stated purpose is obviously not in line with their capability and the fact of M$ effectively trying to create new reliance on a security nightmare. So, I think my characterization of it as a ticking time bomb is probably a best case scenario. For all I know, it has already exploded!


-HandsOff

 

Hi, HandsOff

You can stop Windows from caching thumbnails.

By going to Windows explorer>[or any folder] Tools>Folder Options>View>Do not cache thumbnails, and check it.

You will never have any more Thumbs.db files to worry about.

Take Care,
TheQuest

 

The ADS files that Kaspersky 5.0 uses are called kavichs and can only be seen/removed if 5.0 is uninstalled (altough you have the option to remove during the unstall).

 

Thanks Quest, I used to do that because they are managed so poorly, however with the huge number of photo's I have, I decided it was to inconvenient not having them, so I put up with the mismanagement, and just delete the ADS when ever I see them.

Hey Don. Ack! more jargon!! I do recall detecting them with something...I don't remember for sure what, probably trojan hunter. deleting them was not the easiest thing, and you guessed it, I don't quite quite remember what got them, but it wasn't TH or K. I was a well known tool, I want to say by SysInternals, but anyway, it's all just a bad memory!


-HandsOff!