Sometimes during automated malware analysis in a sandbox (i.e. Cuckoo), we can get in the report the following information: “creating alternate data streams”. It is related with an interesting feature of NTFS file system,  that can be used for hidden channels of storing and exchanging information.

Historical context

ADS are from an era when we had resource forks in HFS (Macintosh Hierarchical File System) and the idea was that files would “carry” everything with them, possibly even the application needed to open them, or the fonts needed to view them in many ways this was a beautiful design and idea which sadly never came to fruition. For example a text file could have carried its translations in ADS, a Braille version, RTF and TXT, etc. but also its images in various resolutions depending on screen DPI. All without cluttering the “main view” or those gigantic Word files. – via @cynicalsecurity

Introduction

In FAT file system – used by old versions of windows – file consisted of 2 elements: attributes and data.

In NTFS it i different – file consists of attributes, security settings, main stream and alternate streams. By default, only the main stream is visible.

Let’s see how it works by creating a sample file: test.txt. At this moment it’s main stream will be empty. However, we will create an alternte data stream. We can write into it using echo command and simple stream redirection.
Naming convention:
[filename.extension]:[alternate_stream_name]

optionally we can use ::$DATA at the end, i.e:
[filename.extension]:[alternate_stream_name]::$DATA

echo This message is saved in the ADS > test.txt:hidden_stream

Let’s list the directory and see the newly created file (test.txt)

dir

As we can notice, the file length is displayed as 0 bytes. If we try to open this file by some text editor (i.e notepad) we can see that it is empty. Does it really have something inside? Let’s confirm:

more < test.txt:hidden_stream

Now, finally, our text showed up.

So, how we will find out what are the alternate data streams available in particular files? There are several tools dedicated to reading and editing ADS, but if we don’t want to bother about it, we can just use a command dir, with an appropriate parameter:

dir /R – display alternate data streams of the file

Now we can see the same file, test.txt, listed twice: once with a size 0, and then again – with the size 35, with the ADS name added.

We can edit the file in a normal way, and the alternative stream will stay untouched. By the same way we can create several streams.

File in file using ADS

Example 1

We can also hide another file on the alternate data stream. On the below example – we create a new txt file on another. We can then edit it with typical tools:

Yet, opening the file by default way, we can only see it’s main stream:

Example 2

We can also paste an existing file on an alternate data stream, by using a command type

Let’s take as an example a demo.dll – it is a 32bit Portable Executable, exporting one function: Test1. We will place it in the alternate stream of test.txt

type demo.dll > test.txt:demo

Maybe the alternate stream it is hard to notice – but running it is still very easy:

rundll32 test.txt:demo,Test1

Example 3
Exactly the same can be done with (malicious) macros:

type‬‬ ‫‪malware.vbs‬‬ > ‫‪readme.txt:malware.vbs‬‬
‫‪Wscript‬‬ ‫‪‫‪readme.txt:malware.vbs‬‬

Zone.Identifier

One of the legitimate usages of alternate data streams is Zone.Identifier. It is a feature used to identify the file origin. In case if the file comes from some untrusted source, i.e. have been downloaded from the internet, Windows displays a security warning before it can be run.

There are several variants of Zone.Identifier value:

0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

file.exe:Zone.Identifier

Sample content of Zone.Identifier of the file downloaded from the internet:

[ZoneTransfer]
ZoneId=3

Malware downloaders may edit Zone.Identifier of the downloaded file, in order to make it run without displaying alert.

ADS and PowerShell

PowerShell comes with a built-in feature to read ADS. There are several commands that can be used to read and edit them:

• Get-Item
• Set-Item
• Remove-Item
• Add-Content
• Get-Content
• Set-Content

Examples

Listing all the streams of a file:

Get-Item -Path [filename] -Stream *

Adding hidden message into ADS:

Add-Content -Path [filename] -Value [my hidden message] -Stream [new_stream]

Cheatsheet

Creating ADS from commandline:

‫‪echo This is a hidden message > testfile.txt:hidden_stream

Displaying files with their alternative data streams:

dir /r

Displaying stream of a file:

more < testfile.txt:hidden_stream::$DATA

Appendix

• https://technet.microsoft.com/en-us/sysinternals/streams.aspx – Streams – tools from SysInternals to view ADS
• https://msdn.microsoft.com/en-us/library/ms537021%28v=VS.85%29.aspx – URL security zones
• https://winitor.com/pdf/NtfsAlternateDataStreams.pdf – presentation about Windows Alternate Data Streams by Marc Ochsenmeier
• https://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/ – Bleeping Computer on ADS