Alternate Data Streams (ADS) in NTFS can hide malware and other malicious software on a compromised system, allowing them to execute undetected by security measures. ADS is a relatively unknown NTFS feature that hackers can use to conceal their tools and keystroke logging programs.
What are Alternate Data Streams?
Alternate Data Streams (ADS) is a feature of the NTFS file system that allows files to have metadata attached to them in the form of streams. ADS was introduced in Windows NT 3.1 and is still used in current versions of Windows, including Windows 10. ADS can be used for legitimate purposes, such as embedding additional information in files, but it can also be exploited by attackers to hide malicious content.
How can Attackers use Alternate Data Streams?
Attackers can use Alternate Data Streams (ADS) to conceal malicious content on a compromised system. For example, an attacker could hide a keylogger or other hacking tool in an ADS attached to a legitimate file, making it harder for antivirus software to detect it. The malicious content is not visible when browsing the file system, and it is executed when the legitimate file is launched.
This technique can be very effective because ADS is a relatively unknown feature of NTFS, and many antivirus programs do not scan ADS. Even if an antivirus program does scan for ADS, it can be difficult to differentiate between legitimate ADS and malicious ADS.
How can you detect and remove malicious Alternate Data Streams?
There are several tools that can detect and remove malicious Alternate Data Streams (ADS). One such tool is LADS (List Alternate Data Streams), a free command-line utility that scans for ADS on a Windows file system.
To use LADS, open a command prompt and type the following command:
This will scan the entire C: drive for ADS and display any findings. If you suspect that a file might have an ADS, you can also use the following command:
more < file.exe:streamname Replace file.exe with the name of the file and streamname with the name of the ADS. This will display the content of the ADS, allowing you to determine if it is malicious. To remove an ADS, you can use the following command: more < file.exe:streamname > streamname.txt
This will copy the content of the ADS to a text file, allowing you to review the content. If you determine that the ADS is malicious, you can delete it using the following command:
How can you protect against Alternate Data Stream attacks?
To protect against Alternate Data Stream (ADS) attacks, you should use a combination of antivirus software and file integrity monitoring tools. Antivirus software should be configured to scan for ADS, and file integrity monitoring tools should be configured to alert you when a file changes or when an ADS is added or removed.
In addition, you should be cautious when downloading and running software from the internet. Only download software from reputable sources, and always scan downloaded files for viruses and malware before executing them.
Finally, you should keep your operating system and software up to date with the latest security patches. This will help to minimize the risk of vulnerabilities being exploited by attackers.