Hi,
While going through some Malwares sample analysis i came across the Alternate Data Stream Malware
which is the thing mainly very few people might have heard or knows off. So ithought to post it over here.It will help many Admins out there who might have came across this problem but didn't thought of it or didn't even knew whats the matter.
Now you might be thinking wtf is this Alternate Data Stream is?
It is the thing which has a darker side, it can make your Hard disk space over without knowing where is the space gone.A normal user or Corporates where System Admins (if not active learner) won't find anything suspicious on your system & will not be able to find the Mystery of lost space from the Harddisk.
Actually Alternate Data Streams (AltDS) was a feature included in NTFS so that working with the MacOS files sharing becomes possible and easy. But the darker side is used a lot by Malicious people.
It can hide the files on Windows system and won't even show it by dir command or even graphically.
yeah those who haven't heared of this utility might be thinking that how come it is possible so i am
just going to give here some ways how it is possible just follow my steps and you will come to know.
By this you can hide your text,Document files,executable files etc.
goto start--->run--->cmd
1. We will hide a message in the File 1.txt here
C:\>echo ABCDEFG >1.txt
C:\>type 1.txt (on typing this command we can see the Data ABCDEFG )
But i don't won't that anyone else should see this
C:\>echo ABCDEFG >1.txt:hidden
After this command the file 1.txt becomes of zero bytes all data is gone. but in reality it is there for you not vanished away.see how it is possible to see
C:\> more
After giving command you will see the data on your screen or you can use this command also
C:\> notepad c:\1.txt:hidden
2. Now you came to know how we can hide the message, i will show you the most important part of it to hide the files it can be any sort of file whatever your .exe..pdf,.doc,.avi, etc...
so just give it a try, copy any exe file let it be "info.exe" to C:\>
C:\>type info.exe>2.txt:info.exe
now delete the info.exe lying in the c:\ and use dir command or attrib command you will not find any
info.exe file there its is deleted away but actually it is there you cant see it with naked eye.
So how to use or see or hidden info.exe on C:\ .just type the following commands :
C:\>start c:\2.txt:info.exe
your info.exe will start running you can't see the file in C:\ but it is there and running for you.
By this way Malicious person could hide his data or files over your windows system without
your information and eat away your disk space.
Even trojans, worms , viruses could hide by this trick and few worms are there in Real World scenario which are using this trick .
So Admins and Home Users beware of such things well mainly Av's are detecting the Malwares hidden in Altds so keep ur AV update.
As i have told before these data files are like Biological Bacteria b'coz it can't be seen with naked eyes even attrib or Dir commands don't show it so how to see them , actually for seeing these files we need special telescope i.e. a tool "Lads" created by "Frank Hyene" . Lads scans the system and show all the Alternate Data Streams on the Windows having NTFS .
Lads work on command line and can help you out with the Alternate Data Stream Files.
This was for short about the Hidden Threat of NTFS on Windows .
For Further Reading you can go through the paper :
Also you can find the LADS Utility by Frank Hyne here:
Keep Reading INFO-Securities
No comments:
Post a Comment