Tuesday, December 9, 2014

5:12 AM
It seems that not many people are aware about this, lemme give you some keynotes about ADS.

In the NTFS file system, an alternate-file-hiding technique usually used by intruders and rootkit malwares. There are different types of data streams. One that holds the security information and another that holds the real data. There may be another stream with link information instead of the real data stream. And there are alternate data streams holding data the same way the standard data stream does. The streaming feature of NTFS is touted by restructuring the file system. It can also be used to hide malicious cracker's toolkit or trojan program-in streams behind files.

Yes, I know all of you think that it's cool and sure thing that comes in your mind is that, how can we use it in practical way? Well, you can basically do many things with it eg. you hide some secret of yours or you could use it for hiding your registration information and other credentials. Or if you are a BlackHat, you can hide viruses/worms/rootkits,etc.

There are two ways to hide your data in ADS, you can hide it in folder, or hide it in a file. And it's not going  to change the size of the carrier whatsoever and anything either for the file or folder except its date stamp.

So without further ado, let's learn the tricks, fire up command prompt:

Hiding a file in a folder

mkdir c:\folder
echo mydata > c:\folder:secrets.txt

In the above example, we redirected the output of echo mydata to be stored at c:\folder:secrets.txt. You will notice then that there is not backslash between "folder" and "secrets.txt"

You can then check and see if the folder "c:\folder" contains anything, and check if the size has been changed. And.. nothing is actually there! pretty cool eh?

Okay let's unstream it, open cmd and type:

notepad.exe c:\folder:secrets.txt
 The outcome seems interesting? well, you haven't seen anything useful yet. Now, let's jump to the next part


Hiding a file in a file

echo sometext > C:\folder\textfile.txt
echo mystuffs > C:\folder\textfile.txt:secrets.txt
 It's just the same thing we did before, but instead of hiding it in a folder, we did hid it in a file. So now you understand the significance of ":"

It means that you are accessing an alternate data stream instead of the normal ones or the visible ones, so to speak.

Now, let's unstream it

notepad.exe c:\folder\textfile.txt:secrets.txt
Amazing! but I gotta tell you that it's still far from it's true potential of such feature.

Now, if we wanted to be a little devilish and hide some executable files, an attacker will need the POSIX cp from Resource Kit. This is pretty simple, assuming I have netcat(nc.exe) downloaded on my current directory:

cp C:\windows\system32\calc.exe C:\folder\calc.exe
type nc.exe > C:\folder\calc.exe:nc.exe
start C:\folder\calc.exe:nc.exe
 We simple copied calc.exe (which is calculator) to our test folder so we don't mess anything up, and we hid the nc.exe file in our copied calc.exe. We then finally executed our hidden file "nc.exe", which is not located at "c:\folder\calc.exe:nc.exe"

The modification date on copied calc.exe changes but not its size. (Some versions of cp/type may not alter the file date.) Therefore, hidden streams files are very hard to detect. Streamed files can still be executed while hiding behind their front. Due to cmd.exe limitations, streamed files cannot be executed directly (that is, calc.exe:nc.exe). Instead, try using the start command to execute the file.

If you say this is lame, and it just starting nc from a hidden location! Well, if you open up your default windows task manager and see if you can find nc.exe running. You may find calc.exe running but not nc.exe although in your eyes or your netstat you can see it.

Let's talk about some countermeasure about it:

How to delete a file stored in ADS

First, let's assume you have a file called tool.exe, and this file got hidden by some major dirty trojan rat develop by some kids. In order to do so, you should:


ren tool.exe temp.exe
type temp.exe > tool.exe
del temp.exe

But, what if the bad guys have "rat.exe" hid it in the folder "c:\windows"?
Don't be afraid; it's also easy to do:

notepad.exe c:\windows:rat.exe
 Delete the contents of rat.exe and then save. Notepad will tell you that the file is empty and ask if you want to delete it - confirm the action, and you are done.

Some tools you may use in dealing with NTFS ADS:

  • Sysinternals
  • LADS
  • crucialADS
  • Foundstone's sfind

That's it! You can do a lot of things with ADS just don't limit your imaginations. Thanks for reading.

Next
This is the most recent post.
Older Post

0 comments:

Post a Comment