Girl Geekette

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that Opens in this window):

ADS test using Windows XP

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 8/23/2001 8:00AM and the size is 112KB.

Alternate Data Streams WinXP Image 1

Here is a listing in DOS that shows the directory with the copied calc.exe file.

Alternate Data Streams WinXP Image 2

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).

Alternate Data Streams WinXP Image 3

Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.

Alternate Data Streams WinXP Image 4

Alternate Data Streams WinXP Image 5

3. Next, I executed the new ADS notepad.exe using the standard command start.

Alternate Data Streams WinXP Image 6

On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.

Alternate Data Streams WinXP Image 7

4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows XP displayed the calc.exe name and ADS command.

Alternate Data Streams WinXP Image 8

This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different. Would the average user look at the Task Manager and know that something was different about the calc.exe program that was running? Probably not. Would the average user think anything of the notepad program popping up when the Windows Calculator was used? Some would, others would pass it off as a coincidence or accidentally hitting the wrong key.

Something as simple as this can lead to more intensive scripts and exploits being written. Microsoft itself even notes that there is basically no point in still using ADS According to Microsoft: “Alternate data streams are strictly a feature of the NTFS file system and may not be supported in future file systems. However, NTFS will be supported in future versions of Windows NT.”

By using a simple technique as this, more elaborate code can be written. It could be a way for a virus writer to exploit a common program and use it to start a VBscript to pass on a virus or compromise a computer or network. Even makers of Spyware and Adware can incorporate this to create popups and other security/privacy compromising features.

With programs like many common Anti-Viruses and adware and spyware removers such as Ad-Aware realizing this technique that can be used, many companies - such as Lavasoft (makers of Ad-Aware) - are adding scanning features for this type of exploit in their programs. Although there is protection, the threat still exists.

To see this demonstration using Windows 2003, I have posted it at Alternate Data Streams 2003 Test.

Related posts:

1. Alternate Data Streams Windows 2003 Test Needless to say, I was inspired by an article on...
2. NTFS Alternate Data Streams NTFS Alternate Data Streams...
3. Turn Off Program Compatibility Assistant Service [caption id="attachment_276" align="alignleft" width="150" caption="Windows Task Manager"][/caption] Windows Vista Program...
4. Windows 2000 and Windows XP - Disable Shortcut Updating Windows 2000 and Windows XP - Disable Shortcut Updating...
5. Winsock: How can you tell if your Winsock is corrupt? Windows XP Method 2 Winsock: How can you tell if your Winsock is corrupt?...

Related posts brought to you by Yet Another Related Posts Plugin.