104

You can hide any file inside of another file just by typing:

type sol.exe > container.txt:sol.exe

and to run the file hidden file just use:

start c:\hide\container.txt:sol.exe

But the crazy part about this is it doesn't increase the size of the file (so it's totally hidden).

And if you delete the file with the hidden stuff inside, the hidden stuff doesn't get deleted. Just use:

more <  container.txt:sol.exe > sol.exe

Why does NTFS allow this? It seems like the best way to hide a virus.

5
  • 1
    nice, seems like mac resourceforks. Commented Jul 24, 2009 at 0:07
  • 15
    worse, when you start sol.exe like that, the task manager shows the process name as container.txt
    – hasen
    Commented Jul 24, 2009 at 0:27
  • 16
    We should bomb google so that "scary" leads to this question
    – hasen
    Commented Jul 24, 2009 at 20:30
  • 4
    With as long as this has been around, it's still astounding to occasionally run across AV developers/other people that work heavily with the filesystem that STILL don't know about it. I don't expect the average app developer to know about it since there's no need, but if you're heavy into filesystem stuff... :-) Commented Jun 28, 2011 at 14:32
  • Supposedly you can also attach an ADS to a folder. You can delete the ADS by deleting the folder, but when the folder is the root of your drive, you can't delete your C: drive, for example, without reformatting the drive. Seems like a mechanism for creating a hidden rootkit virus to me(?). Commented Oct 31, 2013 at 17:55

5 Answers 5

98

There are two sides to this question. The first is why does this feature exist at all, and the second is why doesn't the GUI (or the command prompt) make it easier to see and manage the feature.

It exists because it's useful. Several other platforms support multiple data streams per file. On the Mac, they were called forks, for example. I'm reasonably sure that similar things existed in the mainframe world, but can't put my fingers on any explicit examples today.

On modern Windows, it is used to hold extra attributes for a file. You might notice that the Properties box available from Windows Explorer has a Summary tab that in Simple view (I'm on Windows XP, your mileage will differ on the other flavors) includes a bunch of useful fields like Title, Subject, Author, and so forth. That data is stored in an alternate stream, rather than creating some kind of side-car database to hold it all that would get separated from the file too easily.

An alternate stream is also used to hold the marker that says the file came from an untrusted network source that is applied by both Internet Explorer and Firefox on downloads.

The hard question is why there isn't a better user interface for noticing that the streams exist at all, and why it is possible to put executable content in them and worse, execute it later. If there is a bug and security risk here, this is it.

Edit:

Inspired by a comment to another answer, here is one way to find out if your anti-virus and/or anti-malware protection is aware of alternate streams.

Get a copy of the EICAR test file. It is 68 bytes of ASCII text that happens to also be a valid x86 executable. Although completely harmless, it has been agreed by the anti-virus industry to be detected as if it were a real virus. The originators thought that testing AV software with a real virus would be a little too much like testing the fire alarm by lighting the wastebasket on fire...

The EICAR file is:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save it with the extension .COM and it will execute (unless your AV is paying attention) and print a greeting.

It would be informative to save it in an alternate data stream and run a scan...

12
  • 12
    By design the displayed file size only shows the size of the main $DATA stream. THis is also what you usually want. You don't include the length of the file name (which is one kind of metadata) into the file size as well. As for being a security risk. ADS are no more a risk than any individual file is. I haven't heard of any malware that successfully spread/hid with those mechanisms.
    – Joey
    Commented Jul 24, 2009 at 1:32
  • 5
    You can't accidentally run an executable stored in an ADS of a text file. It is well hidden, too well hidden for a common user to accidentally run it. You would need to be compromised first. Commented Jul 24, 2009 at 3:08
  • 8
    @ashh: Martinho nails it - the obscurity that makes it hard to find an executable on such a stream also makes it hard to execute one without actively trying to. Contrast this with, say, the whole "hidden file extensions" fiasco, where executable files could appear to be, say, text files in the GUI... and still execute very easily.
    – Shog9
    Commented Jul 24, 2009 at 3:42
  • 4
    Assuming you have an AV that is at least paying real time attention to the .COM file, you wouldn't be able to attach it as ADS as the AV would prevent you accessing the .COM file (attaching as ADS require one to access the file). You should however be able to attach a text file with the EICAR string and name it with a .COM extension inside the ADS. i.e. type EICAR.txt > test.txt:EICAR.COM
    – KTC
    Commented Jul 28, 2009 at 8:03
  • 2
    Cool fact about the EICAR.COM file: It won't run on any 64-bit versions of Windows so I guess this trick will no longer work once everyone is on 64-bit machines (which will still probably be a while).
    – Kredns
    Commented Apr 15, 2010 at 1:57
15

This feature is required for a cross platform feature of Windows Server: services for mac.

This allows a windows server running on NTFS share to macs via AFP. For this feature to work, the NTFS file system has to support forks, and it has from day one.

And before you ask, is this feature still used? Yes it is I have it running and in use daily on a server in a client that I support.

The main security issue comes when people and applications forget or don't realize that it is there.

There probably should be an option though to include the forks in the total file size or show them in windows explorer.

7
  • 2
    If you are going to down vote, please leave a comment as to why. Commented Jul 24, 2009 at 9:39
  • 2
    This sounds like a completely plausible reason for the feature to exist in the first place.
    – RBerteig
    Commented Jul 28, 2009 at 7:21
  • 3
    adding this feature simply to allow file sharing for macs doesn't sound like a plausible reason. Sharing over the network does not require the file to be stored intact on the server side. I've seen several *nix apple sharing servers that split the file into data and resource information. This is transparent to the client. Changing the actual drive format just to allow AFP does not seem realistic. Might be a nice benefit but not as the REASON for this feature.
    – Simurr
    Commented Aug 27, 2009 at 17:33
  • 2
    Yeah, I'm thinking [citation needed] if you're going to assert that SfM is the main reason that MS implemented ADSes in NTFS.
    – afrazier
    Commented Jul 23, 2010 at 16:31
  • 4
    Citation found: ...ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. source: windowsecurity.com/articles/Alternate_Data_Streams.html Commented Jan 17, 2011 at 21:19
5

I'd imagine one of the main uses (perhaps even the intended use) would be to transparently allow addition of any kind of meta-data to a file. The reason the file size does not change is in this scenario you do not want the file to look or behave any differently lest the originating application relies on some aspect of the way the file looks.

I could imagine interesting uses in IDEs for example, where sometimes multiple files are involved to form a single unit (code file / form file, etc), which could be attached to the original file in this way so that they cannot accidentally get separated.

I also believe there is a command to find all such 'attachments' in a given directory tree, so they are not actually completely hidden. It also would surprise me if the better virus scanners are not aware of this and check these 'hidden' areas, but you could check that by purposely attaching an infected executable to a text file and seeing if it gets picked up.

6
  • Could you please post a link to such an executable so I can try? ;) Commented Jul 24, 2009 at 2:19
  • I suggest you run AVG on your machine, and then grab one of the executables from the quarantine folder to try ;)
    – jerryjvl
    Commented Jul 24, 2009 at 2:27
  • 2
    @martinho, you want the EICAR test file: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Just paste that text (exactly 68 bytes of ASCII text, see eicar.org/anti_virus_test_file.htm for the whole story) into a file named with the extension .COM. It will run and print a message. Unless your AV is working, of course. Drop it into an alternate data stream and check there too.
    – RBerteig
    Commented Jul 28, 2009 at 7:07
  • @RBerteig: Hey cool... didn't know there was such a thing.
    – jerryjvl
    Commented Jul 28, 2009 at 10:33
  • @jerryjvl, as they say, it beats testing the fire alarm by lighting the wastebasket on fire...
    – RBerteig
    Commented Jul 30, 2009 at 20:39
5

Here's a good article on the potential security vulnerability posed by Alternate Data Streams.

4
  • 6
    <nitpick> It's a vulnerability, not a threat</nitpick>. And it's not as big of a deal as it sounds. You need to already have credentials to use it.
    – romandas
    Commented Jul 23, 2009 at 23:56
  • No prob. Btw, check your spelling. And always remember: Threats exploit vulnerabilities. Threats are people, usually, but natural and made-made disasters count too.
    – romandas
    Commented Jul 24, 2009 at 0:08
  • @romandas, what credentials do you already need to have? At home most Windows users (XP in particular) are running with Admin privileges so why isn't this a big deal as it sounds?
    – Ash
    Commented Jul 24, 2009 at 2:57
  • @ashh, "with a method of hiding ... on a breached system". The system have to already be compromised in the first place to hide anything, and similarly to execute anything hidden like this.
    – KTC
    Commented Jul 28, 2009 at 7:50
4

Good question, I wasn't properly aware of ADS until last year and I've been a Windows developer for many years. I can guarantee that I am not alone on this.

Regarding being able to check for alternate data on files, I found the useful little tool called Lads available from Frank Heyne software. It can list ADS on all files in a given directory, even on Encrypted files (and also within subdirectories).

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .