Windows OSs support two little-known data-hiding features: NTFS data streams
(also known as alternate data streams) and share-level Access-based Enumeration
(ABE). Alternate data streams provide a way to attach hidden information, such
as file summary data, to a file. You probably won't make use of alternate data
streams yourself, but malicious users can take advantage of this technology
to your disadvantage, so you need to be aware of what it is and how it can be
used against you.
ABE is something you can use to your benefit: It lets you suppress the visibility of folders and files in a share from users who don't have permissions to access them. Here's what you need to know about these features.
Tributaries of the Data Sea
Alternate data streams are a feature of the
NTFS file system. They were originally added to Windows NT 3.1 to let NT and
Macintosh users exchange files.
An NTFS file is composed of data streams: a $DATA default data stream that
consists of the file's contents, and possibly one or more alternate data streams.
Anyone with the necessary permissions to the file can see that the $DATA data
stream exists and can open it, read it, and write to it.
An alternate data stream is additional information or files that a user or application can attach to an NTFS file. Only the user who created the alternate data stream will be aware of its existence. In general, users won't know if an alternate data stream is attached to a file because the stream's content and name aren't visible and you won't see a change in the file size.
Alternate data streams are used in many ways. Windows uses alternate data streams to store summary data for non-Microsoft Office documents such as simple text (.txt) files. You can enter file summary data, such as title, subject, and author information, on the Summary tab of a file's Properties dialog box. The summary data is stored in an alternate data stream named SummaryInformation.
Windows applications such as Encrypting File System (EFS) and Windows Explorer
leverage alternate data streams to attach file-specific data to files stored
on NTFS-formatted drives. EFS uses alternate data streams to attach encryption
and recovery data to encrypted files, enabling EFS to provide decentralized
file encryption and recovery services.
Microsoft Internet Explorer (IE) in Windows XP Service Pack 2 (SP2) uses an alternate data stream named Security.Zone to safeguard the security zone classification of files that are stored on an NTFS volume. As a result, IE can block elevation-of-privilege attacks that could occur when a user downloads a piece of malicious code from an untrusted Internet security zone and saves the code to the local hard disk. IE classifies locally saved content in the Local Machine security zone, which has more privileges than the Internet security zone. XP SP2 always checks the Security.Zone information before allowing downloaded code to do anything on the local system.
Malware Vehicle
What makes alternate data streams interesting and dangerous is that their
names and content don't appear in Windows Explorer. Thus, alternate data streams
are a very attractive way for attackers to hide information or malicious code
on a system. The VBS.Potok@mm worm is an example: Hackers leveraged an alternate
data stream to attach several Visual Basic (VB) scripts to the existing ODBC.ini
file. When the worm executed, it created an account with administrative privileges
and sent itself to the addresses it found in the Microsoft Outlook Address Book.
Another dangerous characteristic is that the space allocated to alternate data streams doesn't show up in Windows Explorer's size and free-space data. A hacker could use alternate data streams to fill up a file server's disk space, and the administrator would be clueless as to the cause of the problem. Also, the Dir command-line utility doesn't take alternate data streams into account during its size calculations. As I write, the only Microsoft tool that does consider alternate data streams in its size calculations is Chkdsk.
Adding a New Stream
Anyone who has write permission to an NTFS file can
use common OS commands to attach an alternate data stream to the file. For example,
the following command creates an alternate data stream called mystream, attaches
mystream to a file named file.txt, and stores the phrase "top secret" in my-stream.
echo top secret > file.txt:mystream
You can view mystream's content by entering the command
more < file.txt:mystream
As I previously mentioned, you can add executable files to alternate data streams. For example, you can add a hidden copy of the Windows calculator (calc.exe) to a file called file.txt simply by typing the command
type calc.exe > file.txt:calc.exe
To execute the hidden calculator, enter the command
start .\file.txt:calc.exe
Now, to see for yourself that alternate data streams and their content aren't accounted for in Microsoft tools, check the properties of file.txt in Windows Explorer. Instead of seeing a file size of 112KB—the size of the embedded calc.exe file—you'll see a file size of 0KB because there's no data in the $DATA file stream and Windows Explorer can't detect the data in the alternate data stream.
Clearly, alternate data streams have quite a few associated risks, especially if your NTFS resources aren't properly permissioned and access to your Windows servers isn't tightly controlled. A simple protection mechanism that you can use to prevent malicious attackers from leveraging alternate data streams is the NTFS access control system. If attackers don't have the permission to write to a file, they can't create alternate data streams and attach them to that file.