Government Security
Network Security Resources

Jump to content


Tutorial - Alternate Data Streams: The Forgotten Art Of Information Hiding

- - - - - windows network trojan hash md5 payload rootkit steganography tutorial
  • Please log in to reply
8 replies to this topic

#1 bspirovski



  • Sergeant Major
  • 118 posts

Posted 02 December 2009 - 12:55 PM

Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.

How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:

type file_to_be_hidden> host_file:name_of_file_to_be_hidden

The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used - like Calculator.

Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

C:\Users\user\Desktop>type image.jpg>test.txt:image.jpg

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:
  • Zip, RAR or ARJ will simply compress the host file and disregard the ADS
  • MIME and Base64 encoding (e-mail) will ignore the ADS entirely
  • FAT32 (mostly used on USB flash drives) will loose the ADS since it's not supported.
  • Steganography programs will read the bytes of the host file and stop at the EOF
  • FTP and HTTP transfer ignores ADS entirely
  • Recording the
But all is not lost. There are still ways to transfer data with ADS:
  • Transferring the host file over SMB network to an NTFS target retains the ADS hidden file
  • Copying the host file to an NTFS file system transfers the ADS hidden file
So the information theft scenario with ADS is mostly available to employees or trusted persons:
  • The malicious user will create a legal host file and ADS a file with information to be stolen.
  • He will convince the manager to take the legal file home to work on over the weekend.
  • Upon the manager's request, even if USB drives are restricted, IT will copy the file over SMB and onto the employee's USB - which is sparkling clean and conveniently formatted with NTFS.
  • All logs of the transfer will contain the transfer of the original approved file to the USB

I welcome any comments and opinions
Bozidar Spirovski

#2 Guest_DiabloHorn_*

  • Guests

Posted 02 December 2009 - 02:29 PM

because most tutorials just explain the basics over and over again here is a link to a full paper with detailed information about ads including the why it's even supported on windows:

#3 Kenny


    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 02 December 2009 - 03:00 PM

I posted an article and coded a program relating to ADS several years back...neat way of hinding things


Kenny aka ComSec

Please read the Forum Rules !!!


#4 Marts McFly

Marts McFly

    Global Moderator

  • Colonel
  • 591 posts

Posted 02 December 2009 - 03:09 PM

Yeah I remember when I found out about this a couple of years ago and was playing around with it. It was really cool. I was toying around with hiding trucrypt volumes in alternate data streams (I think IronGeek had a tutorial on this).

But yeah - once I found out ADS are easily discoverable in ANY basic forensics software it did not appeal to me. If you wanted to hide something from a normal user yes - if you want to hide it from professionals, then no.
Certified Information Systems Security Professional (CISSP)



#5 Kenny


    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 02 December 2009 - 03:19 PM

yeah i agree trajik...old news for many of us...but at the time was the in thing for a week or two ;)
Kenny aka ComSec

Please read the Forum Rules !!!


#6 Guest_DiabloHorn_*

  • Guests

Posted 02 December 2009 - 03:34 PM

interesting part is not only to hide stuff, but also to run code directly from ads.

Now for forensic tools nothing is hidable if you use a good one cause they will even examine sectors marked as corrupted/broken. you could probably crash them with erronous data and hope the investigator thinks it's a normal crash.

Agree on previous posts though...this is so frigging old :|

#7 Ender


    Private First Class

  • Members
  • 96 posts

Posted 02 December 2009 - 11:34 PM

Indeed, nothing new, just think of all the malware that uses ADS to hide it self. One very known example that people here would probably know, PI server. :) Able to install itself in ADS and run from there.

#8 Edu


    First Sergeant

  • Members
  • 2,272 posts

Posted 03 December 2009 - 06:02 AM

this is an interesting feature of NTFS File system and if we use our creativity we can come up with a lot of funny things using it ;) - Secumania security blog.

Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for members only! click here to get it!

#9 Genius1



  • Members
  • 1 posts

Posted 23 January 2010 - 12:27 AM

Most malware developers specially rootkit writers use this way ... .

Also tagged with one or more of these keywords: windows, network, trojan, hash, md5, payload, rootkit, steganography, tutorial