alternate data stream

Discussion in 'Trojan Defence Suite' started by galdon, Apr 12, 2003.

Thread Status:
Not open for further replies.
  1. galdon

    galdon Guest

    so I went to microsofts update page and they wanted me to down load some software to be able to update. I have sp1 so I decided not to do it. Then I run an anti-trojan software soon after and it finds an alternate data stream and my system.ini file had been rewritten. The time of the rewrite coincided with the visit to ms update page. So when the anti-trojan software found the alternate data stream linked to the system.ini file I deleted the stream and the host. I had a copy of the original system.ini file. I noticed that a lot of numbers had been added to the file since I went to ms site. I restored it to its original content. So anybody know just why ms changed my system.ini file and created an alternate data stream? To see if the site actually did it, I went back with the restored system.ini file in place and just went to the site but didn't (purposly) download anything. And yup the changed was made again, and the stream was back. So I fixed everything again.... So what do you all think?... I know they want to catch software hacks but, geez.... and what is an alternate data stream anyway?
  2. Primrose

    Primrose Registered Member

    Sep 21, 2002
    In your case..yes that file would be changed during an update with the new method used. It is harmless.

    This is the info on ADS from a AV/AT developers perspective.

    Go to this first link to read about it at DCS

    Hidden NTFS Alternate Data Streams (ADS) Explained - Are You At Risk?
    Everything you've ever wanted to know about NTFS Alternate Data Streams (and everything you didn't know)
    Copyright (C) 2001, Diamond Computer Systems


    And here is some background

    Analysis of Alternate Data Streams

    Are Alternate Data Streams dangerous?

    Opinions on this subject run the gamut from yes, theyhave no redeeming value to no, they are completely benign. My opinion lies somewhere in the middle. There is no denying that there are some legitimate uses for alternate data streams. Alternate data streams are an ideal place to store meta-data pertaining to the file. In Windows2000, some utilities use alternate data streams in gif files to store the thumbnail image of the gif.On the other hand, there is absolutely no legitimate reason why alternate data streams should be completely hidden from view. Due to their inherently hidden nature, alternate data streams are a perfect place for a malicious intruder to hide data on your system. No traces of alternate data streams are reported by the operating system. Even virus scanners and file system integrity checkers seem to ignore them. The philosophy of the virus scanner writers seems to be that a virus in an alternate data stream is harmless since it must be loaded into memory before it isexecuted, and the auto-protect feature will detect the virus at this point. There are severalproblems with this logic - First, it assumes that auto-protect is enabled. Second, it doesn'taddress the fact that the virus will not be detected during the periodic scan of the hard drive thatalways comes so highly recommended. Regardless, there are other things to be concerned about.For example, an intruder or malicious insider may store sensitive data collected from the systemin an alternate data stream for later retrieval. The presence of strange alternate data streams is agood indication of foul play. In conclusion, an alternate data stream scanner is a very useful tool to help determine systemintegrity. If someone is storing data on your system, don't you want to know about it? If all thedata is stored in alternate data streams, and you don't have an alternate data stream scanner, youwill never know.Technical Discussion of Alternate Data StreamsThe core of the NTFS file system is the Master File Table, commonly referred to as the MFT.The MFT is a collection of records that describe the files and directories in the file system. NTFSfiles are nothing more than a collection of attributes, such as the creation time, last access time,security descriptor, file name, etc. Interestingly, the file's data is just another file attribute. Allfiles have at least one unnamed data attribute. This unnamed attribute is the primary data streamof the file. Upon file creation, an unnamed stream is allocated to hold the file's data. A file canalso optionally have one or more named data attributes. These additional named data attributes are the file's alternate data streams. Directories do not normally contain an unnamed dataattribute, but they can have named data attributes. Having multiple streams in the file presentssomething of a dilemma when it comes time to view the contents of the file - which data streamis presented to the user? The answer is that all requests are satisfied with the primary, unnamed,stream unless a special syntax is used to access one of the named streams. The syntax to accessnamed streams is {file name}:{stream name}. Refer to the section on creating and viewingalternate data streams for more information.General Discussion of Alternate Data StreamsWhen viewing an NTFS file, what you are actually looking at is the file's primary data stream.The reported file size is that of the primary stream. The operating system does not reportinformation about any of the additional streams that may be part of the file. Essentially, alternatedata streams are completely hidden from view. Creating and Viewing Alternate Data Streams (NTFS only)An alternate data stream can be created in a file or directory that resides on an NTFS volume.Once the syntax is known, creating an ADS is trivial. For example, to create a data stream named"hidden.txt" in a file named "afile.txt" type the following in cmd.exe:C:\> notepad afile.txt:hidden.txtWhen notepad prompts you to create a new file, answer yes. Type some text in the file and saveit. Assuming that "afile.txt" did not exist prior to the previous step, you will see a new file named"afile.txt" in your C:\ directory with a file size of 0. Why is the file size 0? Well, as statedpreviously, the system will only list information on the primary stream in a file. Since "afile.txt"did not exist, the system created an empty primary stream in addition to the alternate stream wenamed "hidden.txt". Conceptually, there is no difference if the file "afile.txt" did exist before wecreated the alternate stream. The system will continue to list the size of afile.txt as it was beforethe alternate stream was created. There are several other methods of creating alternate datastreams. Notepad was used in this example for simplicity.There are also several ways to view the contents of Alternate Data Streams, keeping in mind that you must know the exact names of the stream. The simplest method involves using notepad as discussed above. You can also pipe the contents to the more command as follows:C:\>more < afile.txt:hidden.txt this is my hidden dataC:\>Alternate Data Streams are not limited to text data; they can contain any type of data that aprimary stream can contain
  3. Pilli

    Pilli Registered Member

    Feb 13, 2002
    Hampshire UK
    Hell galdon, Would you mind telling us the size of the stream? Can you also right click the data stream to view it in notepad & post a copy here. This may help us see the problem -
    Thank you - Pilli
Thread Status:
Not open for further replies.