Our Team

All About Alternate Data Stream (ADS)

Alternate Data Stream(ADS)  is a feature of Windows New Technology File System(NTFS) which contains metadata for locating a specific file title or author. Alternate data stream was first started in windows NT and is still currently being used in windows 8. Take note having an ADS in a file will not increase the file size, which makes it excellent for attackers to hide a piece of code or malware inside an authenticate malware.

So what is one purpose of the metadata?

Let’s say I downloaded this file called Tutorial 3.pdf online and put it into the directory \test and did a dir. This will be what u see.

cmdimage1

When I do a dir /r, I will be able to see if the directory has any ADS.

cmdimage2

As you can see, Tutorial 3.pdf has an ADS called Zone.Identifier:$DATA. But what data exactly is this zone identifier holding?

cmdimage3

Ok, so i now know that its holding some kind of Zone Transfer data with id = 3. Now does anyone remember about this setting in internet explorer?

cmdimage4

It turns out this security setting has this data

 

Value Setting
——————————
0     My Computer
1     Local Intranet Zone
2     Trusted sites Zone
3     Internet Zone
4     Restricted Sites Zone

 

So by having a zone id of =3, the computer knows the file was from the internet zone!

 

So what an attacker do with ADS? For example, I have just created a hidden.txt file inside tutorial 3 and did a normal dir, u will notice that the file size has not changed. However, only when i do a dir /r then i can see the changes! Take note the hidden.txt file can also be a .exe file for attackers!

cmdimage5cmdimage6

 

An attacker will then send this unsuspecting normal file to u with a hidden ads in it! So lets say I want to view my hidden file now, I would use the command more < tutorial3.pdf:hidden.txt

cmdimage7