Why the heck does NTFS allow invisible executables?

104

68

You can hide any file inside of another file just by typing:

type sol.exe > container.txt:sol.exe

and to run the file hidden file just use:

start c:\hide\container.txt:sol.exe

But the crazy part about this is it doesn't increase the size of the file (so it's totally hidden).

And if you delete the file with the hidden stuff inside, the hidden stuff doesn't get deleted. Just use:

more <  container.txt:sol.exe > sol.exe

Why does NTFS allow this? It seems like the best way to hide a virus.

Kredns

Posted 2009-07-23T23:44:21.113

Reputation: 2 857

1nice, seems like mac resourceforks. – Stefano Borini – 2009-07-24T00:07:31.153

15worse, when you start sol.exe like that, the task manager shows the process name as container.txt – hasen – 2009-07-24T00:27:23.253

16We should bomb google so that "scary" leads to this question – hasen – 2009-07-24T20:30:35.633

4With as long as this has been around, it's still astounding to occasionally run across AV developers/other people that work heavily with the filesystem that STILL don't know about it. I don't expect the average app developer to know about it since there's no need, but if you're heavy into filesystem stuff... :-) – Brian Knoblauch – 2011-06-28T14:32:12.797

Supposedly you can also attach an ADS to a folder. You can delete the ADS by deleting the folder, but when the folder is the root of your drive, you can't delete your C: drive, for example, without reformatting the drive. Seems like a mechanism for creating a hidden rootkit virus to me(?). – HighTechGeek – 2013-10-31T17:55:41.907

Answers

98

There are two sides to this question. The first is why does this feature exist at all, and the second is why doesn't the GUI (or the command prompt) make it easier to see and manage the feature.

It exists because it's useful. Several other platforms support multiple data streams per file. On the Mac, they were called forks, for example. I'm reasonably sure that similar things existed in the mainframe world, but can't put my fingers on any explicit examples today.

On modern Windows, it is used to hold extra attributes for a file. You might notice that the Properties box available from Windows Explorer has a Summary tab that in Simple view (I'm on Windows XP, your mileage will differ on the other flavors) includes a bunch of useful fields like Title, Subject, Author, and so forth. That data is stored in an alternate stream, rather than creating some kind of side-car database to hold it all that would get separated from the file too easily.

An alternate stream is also used to hold the marker that says the file came from an untrusted network source that is applied by both Internet Explorer and Firefox on downloads.

The hard question is why there isn't a better user interface for noticing that the streams exist at all, and why it is possible to put executable content in them and worse, execute it later. If there is a bug and security risk here, this is it.

Edit:

Inspired by a comment to another answer, here is one way to find out if your anti-virus and/or anti-malware protection is aware of alternate streams.

Get a copy of the EICAR test file. It is 68 bytes of ASCII text that happens to also be a valid x86 executable. Although completely harmless, it has been agreed by the anti-virus industry to be detected as if it were a real virus. The originators thought that testing AV software with a real virus would be a little too much like testing the fire alarm by lighting the wastebasket on fire...

The EICAR file is:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save it with the extension .COM and it will execute (unless your AV is paying attention) and print a greeting.

It would be informative to save it in an alternate data stream and run a scan...

RBerteig

Posted 2009-07-23T23:44:21.113

Reputation: 3 235

11By design the displayed file size only shows the size of the main $DATA stream. THis is also what you usually want. You don't include the length of the file name (which is one kind of metadata) into the file size as well. As for being a security risk. ADS are no more a risk than any individual file is. I haven't heard of any malware that successfully spread/hid with those mechanisms. – Joey – 2009-07-24T01:32:55.577

@Johannes, "ADS are no more a risk than any individual file is" You're joking I hope!

A "simple" text file containing an executable ADS is obviously more of a risk then a text file without any ADS. Such an ADS is the defintion of a Trojan Horse, something that appears to the user to have a desirable function but that in effect performs some malicious action on the system. – Ash – 2009-07-24T02:39:05.257

4You can't accidentally run an executable stored in an ADS of a text file. It is well hidden, too well hidden for a common user to accidentally run it. You would need to be compromised first. – R. Martinho Fernandes – 2009-07-24T03:08:32.153

7@ashh: Martinho nails it - the obscurity that makes it hard to find an executable on such a stream also makes it hard to execute one without actively trying to. Contrast this with, say, the whole "hidden file extensions" fiasco, where executable files could appear to be, say, text files in the GUI... and still execute very easily. – Shog9 – 2009-07-24T03:42:29.000

1Phew, my anti-virus works! :) – RCIX – 2010-02-14T10:09:07.920

3Assuming you have an AV that is at least paying real time attention to the .COM file, you wouldn't be able to attach it as ADS as the AV would prevent you accessing the .COM file (attaching as ADS require one to access the file). You should however be able to attach a text file with the EICAR string and name it with a .COM extension inside the ADS.

i.e. type EICAR.txt > test.txt:EICAR.COM – KTC – 2009-07-28T08:03:18.290

Some Antivirus software actually uses an alternative data streams to mark files as checked and speed up scans (presumably including a timestamp and/or checksum to recognize changed files that have to be re-checked. – Michael Borgwardt – 2009-07-28T09:22:47.320

@KTC, of course actually getting the EICAR test virus into an ADS is an exercise for the student... a good AV solution should make that difficult to achieve, just as it should make propagating a real virus difficult... – RBerteig – 2009-07-28T20:25:17.330

2Cool fact about the EICAR.COM file: It won't run on any 64-bit versions of Windows so I guess this trick will no longer work once everyone is on 64-bit machines (which will still probably be a while). – Kredns – 2010-04-15T01:57:42.307

@Lucas, interesting. I suppose that means that Win64 has finally eliminated all support for 16-bit COM files. However, if you have the 32-bit virtual machine extension installed and get a 32-bit CMD.EXE running in it, it should be able to run the EICAR file there. – RBerteig – 2010-05-06T00:21:08.680

@LucasMcCoy: I have Win8 64-bit and I can't even get it to run in the first place since Windows Defender keeps flagging and deleting it :P – Nathan Osman – 2014-01-29T04:32:12.397

@NathanOsman The good news is that Windows Defender is defending you even from code that probably cannot be run at all on a 64-bit platform. :-) – RBerteig – 2014-01-30T20:11:56.610

15

This feature is required for a cross platform feature of Windows Server: services for mac.

This allows a windows server running on NTFS share to macs via AFP. For this feature to work, the NTFS file system has to support forks, and it has from day one.

And before you ask, is this feature still used? Yes it is I have it running and in use daily on a server in a client that I support.

The main security issue comes when people and applications forget or don't realize that it is there.

There probably should be an option though to include the forks in the total file size or show them in windows explorer.

Bruce McLeod

Posted 2009-07-23T23:44:21.113

Reputation: 5 490

2If you are going to down vote, please leave a comment as to why. – Bruce McLeod – 2009-07-24T09:39:39.070

2This sounds like a completely plausible reason for the feature to exist in the first place. – RBerteig – 2009-07-28T07:21:30.247

Do you have a reference to back this up? – Dan McGrath – 2010-05-26T12:14:03.220

2Yeah, I'm thinking [citation needed] if you're going to assert that SfM is the main reason that MS implemented ADSes in NTFS. – afrazier – 2010-07-23T16:31:45.010

3

Citation found: ...ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

source: http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

– JamesBarnett – 2011-01-17T21:19:38.773

3adding this feature simply to allow file sharing for macs doesn't sound like a plausible reason. Sharing over the network does not require the file to be stored intact on the server side. I've seen several *nix apple sharing servers that split the file into data and resource information. This is transparent to the client. Changing the actual drive format just to allow AFP does not seem realistic. Might be a nice benefit but not as the REASON for this feature. – Simurr – 2009-08-27T17:33:30.270

There may be other ways to do this, but that is why it was included in the first place, and it hasn't been removed, ergo it is the reason it is there. Can it be replaced by another mechanism to do the same thing , absolutely. Will Microsoft ever bother, probably not. – Bruce McLeod – 2009-08-28T05:23:10.470

5

Here's a good article on the potential security vulnerability posed by Alternate Data Streams.

JP Alioto

Posted 2009-07-23T23:44:21.113

Reputation: 6 278

6<nitpick> It's a vulnerability, not a threat</nitpick>. And it's not as big of a deal as it sounds. You need to already have credentials to use it. – romandas – 2009-07-23T23:56:05.283

No prob. Btw, check your spelling. And always remember: Threats exploit vulnerabilities. Threats are people, usually, but natural and made-made disasters count too. – romandas – 2009-07-24T00:08:00.590

@romandas, what credentials do you already need to have? At home most Windows users (XP in particular) are running with Admin privileges so why isn't this a big deal as it sounds? – Ash – 2009-07-24T02:57:41.327

@ashh, "with a method of hiding ... on a breached system". The system have to already be compromised in the first place to hide anything, and similarly to execute anything hidden like this. – KTC – 2009-07-28T07:50:35.027

5

I'd imagine one of the main uses (perhaps even the intended use) would be to transparently allow addition of any kind of meta-data to a file. The reason the file size does not change is in this scenario you do not want the file to look or behave any differently lest the originating application relies on some aspect of the way the file looks.

I could imagine interesting uses in IDEs for example, where sometimes multiple files are involved to form a single unit (code file / form file, etc), which could be attached to the original file in this way so that they cannot accidentally get separated.

I also believe there is a command to find all such 'attachments' in a given directory tree, so they are not actually completely hidden. It also would surprise me if the better virus scanners are not aware of this and check these 'hidden' areas, but you could check that by purposely attaching an infected executable to a text file and seeing if it gets picked up.

jerryjvl

Posted 2009-07-23T23:44:21.113

Reputation: 2 505

Could you please post a link to such an executable so I can try? ;) – R. Martinho Fernandes – 2009-07-24T02:19:43.473

I suggest you run AVG on your machine, and then grab one of the executables from the quarantine folder to try ;) – jerryjvl – 2009-07-24T02:27:37.333

2

@martinho, you want the EICAR test file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Just paste that text (exactly 68 bytes of ASCII text, see http://www.eicar.org/anti_virus_test_file.htm for the whole story) into a file named with the extension .COM. It will run and print a message. Unless your AV is working, of course. Drop it into an alternate data stream and check there too.

– RBerteig – 2009-07-28T07:07:10.200

@RBerteig: Hey cool... didn't know there was such a thing. – jerryjvl – 2009-07-28T10:33:19.097

@jerryjvl, as they say, it beats testing the fire alarm by lighting the wastebasket on fire... – RBerteig – 2009-07-30T20:39:16.853

@RBerteig: it's just surprising that AV companies'd get together on something like that ... (or any companies for that matter!) ... and that then is kinda sad really... – jerryjvl – 2009-07-30T21:35:54.690

4

Good question, I wasn't properly aware of ADS until last year and I've been a Windows developer for many years. I can guarantee that I am not alone on this.

Regarding being able to check for alternate data on files, I found the useful little tool called Lads available from Frank Heyne software. It can list ADS on all files in a given directory, even on Encrypted files (and also within subdirectories).

Ash

Posted 2009-07-23T23:44:21.113

Reputation: 2 611