me.mello Posted June 15, 2011 Report Posted June 15, 2011 What is an Alternate Data Stream (ADS)?Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools. It is used legitimately by Windows and other applications to store additional information (for example summary information) for the file. Even 'Internet Explorer' adds the stream named 'Zone.Identifier' to every file downloaded from the internet.Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.Playing with ADSIt is easy to create alternate data streams for the file or folder. Here are the simple commands (use the cmd prompt to launch these commands)Create simple text stream,type c:\test.txt > c:\windows\system32\calc.exe:test.txtView it using the notepadc:\notepad.exe c:\windows\system32\calc.exe:test.txtHiding the rootkit.exe as stream within the windows calculator,type c:\rootkit.exe > c:\windows\system32\calc.exe:rootkit.exe'Here is the screenshot showing the above steps in execution.Note that there is no change in the size of calc.exe even after adding the stream file to it. These characteristics makes the streams a hidden threat.Program to Enumerate StreamsHere is the short demo program which enumerates all the streams within the given file or folder.void EnumStreams(char *strFilePath) {PVOID streamContext = 0;DWORD dwReadBytes, seek_high;WIN32_STREAM_ID streamHeader;WCHAR strStreamName[MAX_PATH];char strBuffer[1024];//Open the file for stream enumerationHANDLE hFile = CreateFileA( strFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL );if( hFile == INVALID_HANDLE_VALUE ){printf("Failed to open the file %s, Error=0x%.8x", strFilePath, GetLastError());return;}while(1){//check if we have reached the end of fileif( FALSE == BackupRead(hFile, (LPBYTE)&streamHeader, (LPBYTE)&streamHeader.cStreamName-(LPBYTE)&streamHeader, &dwReadBytes,FALSE, FALSE, &streamContext) ){break;}//check if we have read the stream header properlyif( (long)dwReadBytes != (LPBYTE)&streamHeader.cStreamName-(LPBYTE)&streamHeader )break;//we are interested only in alternate data streamsif(streamHeader.dwStreamId == BACKUP_ALTERNATE_DATA) {if (streamHeader.wStreamNameSize != 0 ){if( BackupRead(hFile, (LPBYTE)strStreamName, streamHeader.dwStreamNameSize, &dwReadBytes, FALSE, FALSE, &streamContext) ){strStreamName[streamHeader.dwStreamNameSize/2]=L'\0';////Reformat the stream file name ... :stream.txt:$DATA//sprintf_s(strBuffer, 1024, "%S", &strStreamName[1]);char *ptr = strchr(strBuffer, ':');if( ptr != NULL )*ptr = '\0';printf("\n Found Stream - %s", strBuffer);}}}// jump to the next stream headerif (BackupSeek(hFile, ~0, ~0, &dwReadBytes, &seek_high, &streamContext) == FALSE) {//for any errors other than seek break out of loopif (GetLastError() != ERROR_SEEK) {// terminate BackupRead() loopBackupRead(hFile, 0, 0, &dwReadBytes, TRUE, FALSE, &streamContext); break;}streamHeader.Size.QuadPart -= dwReadBytes;streamHeader.Size.HighPart -= seek_high;BYTE buffer[4096];while(streamHeader.Size.QuadPart > 0){if (dwReadBytes!=sizeof(buffer) || !BackupRead(hFile, buffer, sizeof(buffer), &dwReadBytes, FALSE,FALSE, &streamContext) ){break;}streamHeader.Size.QuadPart -= dwReadBytes;} //end of inner while loop} //end of 'jump to next stream' if loop} //main while loop//Finally clean up the buffers used for seekingif (streamContext) BackupRead(hFile, 0, 0, &dwReadBytes, TRUE, FALSE, &streamContext);CloseHandle(hFile);return;}Above program initially opens the input file using the FILE_FLAG_BACKUP_SEMANTICS for reading streams. Next it calls the BackupRead function to read the stream header. If the header contains the flag BACKUP_ALTERNATE_DATA then it points to a hidden stream file. In such a case it proceeds to reading the stream file name which is present after the stream header. After that it moves file pointer to next stream header through BackupSeek function.The same process is repeated until all streams present in the specified files are discovered. Also note that the same program can be used to detect streams within folder as well.Well Known Alternate Data StreamsThere are numerous applications including Windows which internally use alternate data streams for various purposes. Here are some of the well known streams* SummaryInformationThis stream is created by Windows when user updates the summary information for the file.* DocumentSummaryInformationThis stream is created by Windows when user updates the summary information for the file.* {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}This is stream with zero size created by Windows when user updates the summary information for the file.* Zone.IdentifierThis is another well known stream created by Internet Explorer for every downloaded file. It is basically text stream with size normally less than 50 bytes.* encryptableThis is a stream with zero size attached to the file 'Thumbs.db'.* faviconThis is icon stream attached to the favorite links stored by Internet Explorer.* AFP_AfpInfoThis is stream of icon type belongs to Macintosh system.In addition to legitimate programs, it is also being used by malicious Rootkit programs such as Mailbot.AZ, Trojan.Win32.Agent.alt etc to hide their drivers.Conclusionn short, ADS not only makes it easy for Rootkit programs to hide themseleves but also provides the covert launch pad to execute stealthily without making noise. Only sophisticated tools such as StreamArmor will greatly help in uncovering and destroying such hidden threats. Quote
Xander Posted June 16, 2011 Report Posted June 16, 2011 defapt sunt o gramada de antivirusi care vad ca thread tot ce e in ads-uri mai putin cele de sistem ( de exemplu avg ) Quote