Latest Posts »
Latest Comments »
Popular Posts »

Alternate Data Streams Windows 2003 Test

Written by The Geekette on September 18, 2005 – 10:30 am
Posted in 2003, Security, Windows | No Comments »


Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture):

ADS test using Windows 2003

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB. (Image 1 Below)

Alternate Data Streams 2003 Image 1

Alternate Data Streams 2003 Image 1

Here is a listing in DOS that shows the directory with the copied calc.exe file. (Image 2 below)

Alternate Data Streams 2003 Image 2

Alternate Data Streams 2003 Image 2

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad – c:\windows\notepad.exe).  (Image 3 Below)

Alternate Data Streams 2003 Image 3

Alternate Data Streams 2003 Image 3

Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change. (Image 4 and Image 5 Below)

Alternate Data Streams 2003 Image 4

Alternate Data Streams 2003 Image 4

Alternate Data Streams 2003 Image 5

Alternate Data Streams 2003 Image 5

3. Next, I executed the new ADS notepad.exe using the standard command start.  (Image 6 Below)

Alternate Data Streams 2003 Image 6

Alternate Data Streams 2003 Image 6

On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.  (Image 7 Below)

Alternate Data Streams 2003 Image 7

Alternate Data Streams 2003 Image 7

4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.  (Image 8 Below)

Alternate Data Streams 2003 Image 8

Alternate Data Streams 2003 Image 8

This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.

With programs like many common Anti-Viruses and Adware and Spyware removers such as Ad-Aware realizing this technique that can be used, many companies – such as Lavasoft (makers of Ad-Aware) – are adding scanning features for this type of exploit in their programs. Although there is protection, the threat still exists.

To see this demonstration using Windows XP, I have posted it at Alternate Data Streams and Windows XP Test. Soon, I will be adding Windows Vista to this as well.

Alternate Data Streams Series

  1. Alternate Data Streams and Windows XP Test
  2. Alternate Data Streams Windows 2003 Test

Popularity: 6% [?]

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.


§


Email This Post Email This Post | Print This Post Print This Post |



Tags: , , , ,
No Comments »

Leave a Comment

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution. Please understand with hundreds of SPAM comments, it takes a while to sort through to approve the good comments. Sometimes, by accident, some good comments accidentally get marked as spam. Please let us know if your comment did not get posted. Also, if your comment has a link to it or anything else in it that would make it seem like spam, it will be deleted. So please post a real comment and not one that is only made to link to a site only. Otherwise, it could get deleted.