These days finding yourself with a virus, worm or rootkit on your computer is nothing new. Cyber criminals are becoming more sophisticated everyday creating new ways to infect and manipulate users computers all the time. From then on it's up to your security software to get rid of the problem, unless you are one of those that consider themselves technically fit to solve the problem yourself. In that case you are destined to bump into fascinatingly irritating things like hidden or regenerating files, which will lead you to the question... How did they do that?
Well we found one of the answers in the Windows NT Files System (NTFS). NTFS is the standard file system of Windows, it began with Windows NT and has been included in all the later versions all the way up to Windows 7. The NT Files System is the upgraded version of the File Allocation Table (FAT) file system which is still in use today but mostly in external drives. But back to the topic at hand - hackers found a way to utilize what Microsoft calls "strictly a feature of NTFS" which is, Alternate Data Streams (ADS).
NTFS supports what is known as multiple data streams, meaning that multiple, detached streams of data are able to co-exist within a single file. Therefore a file in an NT files system is treated as an accumulation of separate data streams that are each able to store any arbitrary content, this includes the complete contents of a file for example; .zip, .txt, .rar, .tar etc. This is were ADS comes in. It was originally created to be compatible with the old Macintosh Hierarchical File System (HFS) which utilized data forks as well as resource forks to store content. Data forks stored the content of the documents and the resource forks stored content required to identify the file type and other applicable details.
Once a hacker has managed to gain system level access to your PC, either by taking advantage of a vulnerability in Windows or installing a backdoor Trojan on your PC, he/she can then transfer malicious files to your PC. If you are familiar with your PC then these files would be eventually discovered and deleted and this is why hackers found a way to hide them. A hacker will then put these malicious files into the alternate data streams of files that already exist on your PC, preferably important files that you would never think of deleting.
Here is a simple example of how they do this using the command prompt (cmd).
First I created a folder on the desktop called 'Experiment'. Inside the Experiment folder were two .txt documents one named 'dangerous' and the other named 'Important'.
I then proceeded to type a command in the command prompt that would hide dangerous.txt in the data stream of important.txt: 'important.txt:dangerous' is the stream name that I made up.
Then I deleted dangerous.txt and checked to see if was really deleted - to the human eye it looked as if the file was gone.
Now look what happened when I typed in this command:
The file was automatically regenerated! So you see, the ADS feature enables hackers to hide their malicious files behind legitimate files. Hiding a file in another files data stream doesn't even increase the size of the file so there is no normal way a person can see that the hidden file exists.
This method only works with NT file systems, should you send a file with data streams to a different type of file system e.g FAT32, the file will be lost. Another disadvantage for hackers using this method is that a file cannot be accessed while still in the data stream, it first has to be regenerated as a file in order to be used then it can be deleted again.
This is just a glimpse of what hackers can get up to behind your back. No need to fear though, there are certain tools out there especially created to detect the presence of alternate data streams. But as a preventative measure it's always best to ensure that your computer is protected with the latest in security software.
User Comments
For WeSeeTips,
Jijo.
[Microsoft Visual C++ Enthusiast.]