Alternate Data Streams Scan Engine

Discussion in 'other software & services' started by softtouch, May 28, 2009.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    When dealing with network security, administrators often times don’t truly appreciate the lengths that a sophisticated hacker would go through to hide his tracks. Simple defacements and script kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach as an opportunity to progress further inside a network or to establish a new anonymous base from which other targets can be attacked.

    In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks. With this, comes the need to hide the tools of his trade, and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.

    One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

    Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker.

    Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.

    Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.

    Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to.

    What this program does:
    - Scanning one or more NTFS drives for Alternate Data Streams and list them.
    - Rate them as Good, Risky or Dangerous automatically
    - Remove with a single click all to a file attached alternate data streams
    - Examine each alternate data stream in the integrated hex editor
    - Save the alternate data streams to files
    - Remove individual alternate data streams from a file

    Get it here: http://www.delphifreeware.com/ads
     

    Attached Files:

    Last edited: May 31, 2009
  2. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Program was updated recently.
    It also had some code changes so it should not be detected anymore as malware...
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
  4. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
  5. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Updated to V1.0.0.6

    - Columns can be sorted
    - Good and Risky files can be hidden via the check boxes even after a scan.
     
  6. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    In case some of you tested it, any suggestion to improve it?
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Quite good the way it is. :)
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Last edited: Jun 6, 2009
  9. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I think something is wrong with this "anubis". The scanner does not access a single registry key! I know it, because I wrote it. And, the scanner is not destructive at all, what a nonsense!

    The best it, try to submit notepad.exe! You get:
    Error - No Executable File
    Unfortunately your file could not be executed.
    Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.
    How can you trust such a web service?
     
    Last edited: Jun 6, 2009
  10. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Hello softtouch,

    great little tool. :thumb:
    I have two suggestions.
    It would be nice if you could add an option to 'select all' the streams and an option to select multiple streams by holding 'ctrl' and clicking them. It would be helpfull when a user wants to eliminate multiple streams.

    thanks,
    Panagiotis
     
  11. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Done in version 1.0.0.8. Thanks for the suggestion!
     
  12. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    477
    I understand that ADS can be attached to directories/folders; can your application scan for these, too?
     
  13. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Yes, it also scan folder names which have one or more streams attached and can remove them.

    I just created a new folder ("New Folder"), attached ads.exe to it and scanned it (see attached image).
     

    Attached Files:

  14. layman

    layman Registered Member

    Joined:
    May 20, 2006
    Posts:
    217
    Just FYI, one of my machines has an 8-byte ADS attached to the WINDOWS directory itself. Your scanner doesn't report that stream. I've been unable to delete the ADS with any tool that detects it, because it's locked.
     
  15. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Did you uncheck to hide "good" files?
    Something must be different with that stream if it is not detected...
    During my tests, whenever I attached streams to files or folder, they have been all detected. I am a little clueless...

    What is shown when you type dir /r (in case you use Vista)?
     
    Last edited: Jun 8, 2009
  16. layman

    layman Registered Member

    Joined:
    May 20, 2006
    Posts:
    217
    I'm running XP. I can see the stream with ADS Spy and another scanner I used to have (from PC Mag), but neither one can delete it.
     
  17. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  18. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    softtouch

    I just used it on a Vista PC and it found lots of stuff, including Outlook Express inbox/draughts and all the favourites in IE.

    ADS are just more bloatware/crap/spyware that MS insists on coding into the OS. At the moment i'm using someone elses Vista PC, but hope soon to return to my customised spy free 98SE. And also a customised XP for testing newer Apps.

    Thanx for providing us with some nice soft.
     
  19. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Great you like it. Hope that more user come up with ideas for improvements.
    I know there are a lot of ads scanner out there, and I am glad that some people like it.
     
  20. layman

    layman Registered Member

    Joined:
    May 20, 2006
    Posts:
    217
    Locating and figuring out the unprintable name of the ADS is more trouble than it's worth.
     
  21. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Please change the shade of yellow for "RISKY" or put the catigory on a contrasting color stripe because it is hard to see.
    I Found a puzzle C:\Documents and Settings\ALL USERS\APPLICATION DATA\TEMP The "TEMP" folder is empty. My question is how do I find out what program used to belong to the folder and since it has 3 Data streams attached to the folder can I deleted it the color code is yellow.
     
    Last edited: Jun 9, 2009
  22. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    if you can live with fat32's limitations like the file size limit, then, using it as your file system if you will reinstall your operating system like xp, then, no more worries about the meta data, thumbnailcaching, alternate data streams, etc. try to remove paging of files(if you have a bigger RAM), and some unneeded services and system restore and guess what...
    you have a faster, stable and more secure and more private system.
    more suggestions from the links on this post...
    https://www.wilderssecurity.com/showpost.php?p=1482900&postcount=27
     
    Last edited: Jun 9, 2009
  23. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    When you analyze the file, what does the hex editor show? Yellow just indicate that the streams attached are not the default zone identifier, and cannot be executed, what usually make them harmless.

    Maybe you could click the analyze button, select one of the streams, and make a screenshot of the hex editor, so we will know what it is?
     
  24. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,916
    Location:
    U.S.A.
    softtouch, just FYI. Downloaded your program and started its scan. Noticed that the scan was super slow and at several points, my CPU would spike at 100%, with fans at full blast.

    With ADS running, opened the Task Manager and found avgrsx.exe pegged at 94%. That process belongs to AVG Free 8.5.339 Resident Shield Scanner.

    Disabled AVG's Resident Shield at its GUI, while ADS was running, and the scan completed super fast. Repeated the scan, with AVG's Shield on and the same thing happened.

    Perhaps someone else who runs AVG can duplicate my results and post.
     
  25. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I analyzed the file selected one of the streams, Hex editor didn't tell me if the folder belonged to a past file or a presant one. Since the folder is empty it shouldent have any ADS streams.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.