Tiny Code

Tiny Code

Sunday, December 9, 2007

NTFS Alternate Data Streams

Quite some time ago, Microsoft quietly added the ability to embed an alternate data stream in another file. This was ostensibly done to improve interoperability with other modern file systems such as Apple's HFS. The problem is that many of the command line and GUI utilities supplied with Windows don't support (or at least easily so) manipulation of these alternate data streams, making them an ideal place to store data undetectable by normal means.

This capability can be useful for OS features such as displaying thumbnails images when a user opens a folder containing image files. That way, the thumbnail image gets deleted when the user deletes the image file itself. The user is also not confused by the presence of a multitude of files which they don't remember creating.

The negative implications of alternate data streams are twofold. First, it can make figuring out what is occupying your disk space. Second, it makes a convenient place for Malware authors to hide their malicious software. They love this functionality which has been embedded into the Windows operating system since NTFS was introduced because it frees them from the need to resort to a rootkit to hide files. To Microsoft's credit, in Vista they've added switches to the venerable "dir" command to give it the ability to detect alternate data streams. Users of older versions of Windows will need to avail themselves of a utility such as Streams from the great team at SysInternals, now part of Microsoft.

For a good summary of the security implications of alternate data streams, see this write-up at Security Focus.

No comments: