Alternate Data Streams Scan Engine

When dealing with network security, administrators often times don’t truly appreciate the lengths that a sophisticated hacker would go through to hide his tracks. Simple defacements and script kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach as an opportunity to progress further inside a network or to establish a new anonymous base from which other targets can be attacked.

In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks. With this, comes the need to hide the tools of his trade, and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.

One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker.

Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.

Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.

Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to.

What this program does:
- Scanning one or more NTFS drives for Alternate Data Streams and list them.
- Rate them as Good, Risky or Dangerous automatically
- Remove with a single click all to a file attached alternate data streams
- Examine each alternate data stream in the integrated hex editor
- Save the alternate data streams to files
- Remove individual alternate data streams from a file

Get it here: http://www.delphifreeware.com/ads

 

Program was updated recently.
It also had some code changes so it should not be detected anymore as malware...

 

I was testing V 1.0.0.2 and 1.0.0.4 late last week.

https://www.wilderssecurity.com/showpost.php?p=1477793&postcount=4293

 

The current V1.0.0.5 should not be detected any longer...

 

Updated to V1.0.0.6

- Columns can be sorted
- Good and Risky files can be hidden via the check boxes even after a scan.

 

In case some of you tested it, any suggestion to improve it?

 

Quite good the way it is.

 

Anubis gives ads.exe version 1.0.0.7 a red, for non temp file destruction; yellow, for reading, creating, modifying and monitoring registry keys; Also monitors keyboard keys.
http://anubis.iseclab.org/?action=result&task_id=11fd075fb9f6dad14c5fd64423af6638c&format=html

 

I think something is wrong with this "anubis". The scanner does not access a single registry key! I know it, because I wrote it. And, the scanner is not destructive at all, what a nonsense!

The best it, try to submit notepad.exe! You get:
Error - No Executable File
Unfortunately your file could not be executed.
Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.
How can you trust such a web service?

 

Hello softtouch,

great little tool.

I have two suggestions.
It would be nice if you could add an option to 'select all' the streams and an option to select multiple streams by holding 'ctrl' and clicking them. It would be helpfull when a user wants to eliminate multiple streams.

thanks,
Panagiotis

 

Done in version 1.0.0.8. Thanks for the suggestion!

 

I understand that ADS can be attached to directories/folders; can your application scan for these, too?

 

Yes, it also scan folder names which have one or more streams attached and can remove them.

I just created a new folder ("New Folder"), attached ads.exe to it and scanned it (see attached image).

 

Just FYI, one of my machines has an 8-byte ADS attached to the WINDOWS directory itself. Your scanner doesn't report that stream. I've been unable to delete the ADS with any tool that detects it, because it's locked.

 

Did you uncheck to hide "good" files?
Something must be different with that stream if it is not detected...
During my tests, whenever I attached streams to files or folder, they have been all detected. I am a little clueless...

What is shown when you type dir /r (in case you use Vista)?

 

I'm running XP. I can see the stream with ADS Spy and another scanner I used to have (from PC Mag), but neither one can delete it.

 

layman

Try Unlocker http://ccollomb.free.fr/unlocker/

 

softtouch

I just used it on a Vista PC and it found lots of stuff, including Outlook Express inbox/draughts and all the favourites in IE.

ADS are just more bloatware/crap/spyware that MS insists on coding into the OS. At the moment i'm using someone elses Vista PC, but hope soon to return to my customised spy free 98SE. And also a customised XP for testing newer Apps.

Thanx for providing us with some nice soft.

 

Great you like it. Hope that more user come up with ideas for improvements.
I know there are a lot of ads scanner out there, and I am glad that some people like it.

 

Locating and figuring out the unprintable name of the ADS is more trouble than it's worth.

 

Please change the shade of yellow for "RISKY" or put the catigory on a contrasting color stripe because it is hard to see.

I Found a puzzle C:\Documents and Settings\ALL USERS\APPLICATION DATA\TEMP The "TEMP" folder is empty. My question is how do I find out what program used to belong to the folder and since it has 3 Data streams attached to the folder can I deleted it the color code is yellow.

 

if you can live with fat32's limitations like the file size limit, then, using it as your file system if you will reinstall your operating system like xp, then, no more worries about the meta data, thumbnailcaching, alternate data streams, etc. try to remove paging of files(if you have a bigger RAM), and some unneeded services and system restore and guess what...
you have a faster, stable and more secure and more private system.
more suggestions from the links on this post...
https://www.wilderssecurity.com/showpost.php?p=1482900&postcount=27

 

When you analyze the file, what does the hex editor show? Yellow just indicate that the streams attached are not the default zone identifier, and cannot be executed, what usually make them harmless.

Maybe you could click the analyze button, select one of the streams, and make a screenshot of the hex editor, so we will know what it is?

 

I analyzed the file selected one of the streams, Hex editor didn't tell me if the folder belonged to a past file or a presant one. Since the folder is empty it shouldent have any ADS streams.