Girl Geekette

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture):

ADS test using Windows 2003

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB. (Image 1 Below)

Alternate Data Streams 2003 Image 1

Here is a listing in DOS that shows the directory with the copied calc.exe file. (Image 2 below)

Alternate Data Streams 2003 Image 2

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad – c:\windows\notepad.exe).  (Image 3 Below)

Alternate Data Streams 2003 Image 3

Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change. (Image 4 and Image 5 Below)

Alternate Data Streams 2003 Image 4

Alternate Data Streams 2003 Image 5

3. Next, I executed the new ADS notepad.exe using the standard command start.  (Image 6 Below)

Alternate Data Streams 2003 Image 6

On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.  (Image 7 Below)

Alternate Data Streams 2003 Image 7

4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.  (Image 8 Below)

Alternate Data Streams 2003 Image 8

This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.

With programs like many common Anti-Viruses and Adware and Spyware removers such as Ad-Aware realizing this technique that can be used, many companies – such as Lavasoft (makers of Ad-Aware) – are adding scanning features for this type of exploit in their programs. Although there is protection, the threat still exists.

To see this demonstration using Windows XP, I have posted it at Alternate Data Streams and Windows XP Test. Soon, I will be adding Windows Vista to this as well.

Popularity: 6% [?]

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.