Alternate Data Streams

[Daniel L. Belton]

Is there any way to disable the ADS capability in WinXP? I have been
hit with a trojan dropper that is using the ADS in my \Windows\System32
folder to hide from scanners, and I have no use for ADS anyway, so I
want to disable them from being used at all. Is there any way to do
this without going back to using FAT32 instead of NTFS?

Thanks
Daniel Belton

 

[Torgeir Bakken (MVP)]

Is there any way to disable the ADS capability in WinXP? I have been
hit with a trojan dropper that is using the ADS in my \Windows\System32
folder to hide from scanners, and I have no use for ADS anyway, so I
want to disable them from being used at all. Is there any way to do
this without going back to using FAT32 instead of NTFS?

Hi

I don't think you can disable it.

You can use this utility to delete existing streams though:

Streams
http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams


More about streams here:

Platform SDK: Storage
File Streams
http://msdn.microsoft.com/library/en-us/fileio/base/file_streams.asp

A Programmer's Perspective on NTFS 2000 Part 1: Stream and Hard Link
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnfiles/html/ntfs5.asp

A File System for the 21st Century: Previewing the Windows NT 5.0 File System
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/1198/ntfs/ntfs.htm&nav=/msj/1198/newnav.htm

 

[Sarge]

I have been hit with a trojan dropper that is using the ADS in my
\Windows\System32 folder to hide from scanners

Out of curiosity, how do you know it's a trojan dropper if it's hiding
from scanners? And I'm even more curious to know how it was delivered to
your machine. As far as scanners go, Kaspersky Anti-Virus
(http://www.kaspersky.com/) will detect malware in alternate data
streams.

I have no use for ADS anyway, so I want to disable them from being
used at all. Is there any way to do this without going back to using
FAT32 instead of NTFS?

Not that I know of. Other freeware tools you can use in addition to
Streams are Crucial ADS (http://www.crucialsecurity.com/downloads.html)
and LADS (http://www.heysoft.de/Frames/f_sw_la_en.htm).

 

[Daniel L. Belton]

:




Hi

I don't think you can disable it.

You can use this utility to delete existing streams though:

Streams
http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams


More about streams here:

Platform SDK: Storage
File Streams
http://msdn.microsoft.com/library/en-us/fileio/base/file_streams.asp

A Programmer's Perspective on NTFS 2000 Part 1: Stream and Hard Link
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnfiles/html/ntfs5.asp

A File System for the 21st Century: Previewing the Windows NT 5.0 File System
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/1198/ntfs/ntfs.htm&nav=/msj/1198/newnav.htm




--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter

Thanks... Nice utility, but I would much rather have the option of
disabling ADS since it's really not needed, and it leaves a big security
hole open. Seems like this hole should have been patched years ago
since information I have found goes back over 6 years and it was
mentioned then that ADS could be used for just this purpose...

Daniel Belton

 

[Mike Brannigan [MSFT]]

Daniel,

The additional data streams are a function of NTFS.
While you may think you do not have any use for them - it is up to
applications if they use them.
If you could disable them - it may break any applications that uses them.
Check with your anti virus vendor to see if there product does scan the
additional streams on NTFS. If not maybe another vendor does.

You should also consider improving your anti virus and SPAM filtering to
protect your self against whatever malicious application you have that is
using the additional streams.
Additional data streams are not a security hole. The whole is elsewhere
since you allowed an application in to your environment that can use this
function of the file system. To claim they are a security hole is like
claiming the file system in general is a hole since you can get a virus that
deletes your files. The issue here are more related to the initial
allowance of the rogue application in to your environment and a deficiency
in the scanning software to detect it.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Daniel L. Belton]

Out of curiosity, how do you know it's a trojan dropper if it's hiding
from scanners? And I'm even more curious to know how it was delivered to
your machine. As far as scanners go, Kaspersky Anti-Virus
(http://www.kaspersky.com/) will detect malware in alternate data
streams.

Know of any Windows apps that put an ADS in your Windows\System32 folder
with .exe filenames?

Not that I know of. Other freeware tools you can use in addition to
Streams are Crucial ADS (http://www.crucialsecurity.com/downloads.html)
and LADS (http://www.heysoft.de/Frames/f_sw_la_en.htm).

I have those two, and they are good at finding and displaying the ADS...
Just not good at removing them. I want a way to disable it since it's
not needed and leaves a big security hole open.

 

[Daniel L. Belton]

Daniel,

The additional data streams are a function of NTFS.
While you may think you do not have any use for them - it is up to
applications if they use them.
If you could disable them - it may break any applications that uses them.
Check with your anti virus vendor to see if there product does scan the
additional streams on NTFS. If not maybe another vendor does.

You should also consider improving your anti virus and SPAM filtering to
protect your self against whatever malicious application you have that is
using the additional streams.
Additional data streams are not a security hole. The whole is elsewhere
since you allowed an application in to your environment that can use this
function of the file system. To claim they are a security hole is like
claiming the file system in general is a hole since you can get a virus that
deletes your files. The issue here are more related to the initial
allowance of the rogue application in to your environment and a deficiency
in the scanning software to detect it.

Well, I am running a hardware firewall with ZoneAlarm Pro as well. I
have Kapersky Antivirus running resident, and also do full scans twice
weekly with Norton and F-Prot. As far as spam goes, With Mozilla, I
don't allow any attachements to be saves, plus all emails get scanned by
ZoneAlarm Pro before it even gets to my email program. I have K9 to
filter out spam, and I don't even open mail I don't know what it is.

Now... all the information I can find on ADS points to the only use of
it being to communicate with the MAC, and really not even used for that.
WindowsXP and 2000 use it to store thumbnail information for graphics
files, but it's not necessary. Plus, any aplications that depended on
this information would not work with a system running the FAT
filesystem, so I don't think any software vendor will write an
application that depends on it being there.

So there is no reason that I can find to not have a way to disable it.

 

[Paul Adare]

microsoft.public.windowsxp.security_admin news group, Daniel L. Belton

Now... all the information I can find on ADS points to the only use of
it being to communicate with the MAC, and really not even used for that.
WindowsXP and 2000 use it to store thumbnail information for graphics
files, but it's not necessary. Plus, any aplications that depended on
this information would not work with a system running the FAT
filesystem, so I don't think any software vendor will write an
application that depends on it being there.

Sorry but you're wrong here. In the first place, since ADS are only
available on NT and up, there are very few folks writing applications
who give a rat's arse about necessarily being able to support the FAT
files system. As a matter of fact, in this age of security concern, more
and more applications are being written that require NTFS.

Even your statement that any application that depends on ADS would fail
on FAT is false. A good example is eTrust Antivirus. If it find an NTFS
partition, it will use ADS on that partition, if it doesn't, it won't.

So there is no reason that I can find to not have a way to disable it.

The security hole is not ADS, it is letting things in to your network
that can take advantage of ADS. Saying that ADS is a security hole and
should not be used is like saying a web server is a security hole and
should not be used.

 

[Sarge]

Know of any Windows apps that put an ADS in your Windows\System32
folder with .exe filenames?

Can't say that I do. You might want to ask over at alt.comp.virus and/or
alt.comp.anti-virus, there are some pretty knowledgeable folks posting
in those groups. You mentioned that you're running Kaspersky resident.
Didn't that catch the trojan as it was being written to disk?

I have those two, and they are good at finding and displaying the
ADS... Just not good at removing them. I want a way to disable it since
it's not needed and leaves a big security hole open.

The easiest way I've found to delete ADS is with the shell extensions
available at:

http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip

There's one that'll add a "Streams" property sheet from where you can
extract or delete an ADS, and another that'll add a "Streams Size"
column to Windows Explorer. Read the white paper first:

http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf

 

[Daniel L. Belton]

microsoft.public.windowsxp.security_admin news group, Daniel L. Belton



Sorry but you're wrong here. In the first place, since ADS are only
available on NT and up, there are very few folks writing applications
who give a rat's arse about necessarily being able to support the FAT
files system. As a matter of fact, in this age of security concern, more
and more applications are being written that require NTFS.

Even your statement that any application that depends on ADS would fail
on FAT is false. A good example is eTrust Antivirus. If it find an NTFS
partition, it will use ADS on that partition, if it doesn't, it won't.




The security hole is not ADS, it is letting things in to your network
that can take advantage of ADS. Saying that ADS is a security hole and
should not be used is like saying a web server is a security hole and
should not be used.

Ok... I run more virus scanners and spyware checkers than the average
person. If it got through on my machine, then it probably is already on
thousands of other machines already just waiting to hit. I am much more
careful about what I run than the average user, and in my 39 years of
computer use, I have not had even 1 virus get onto my machine. This
trojan dropper is the first, and I got it before it could do any damage.
But what about the other millions of average people that aren't so
careful? How many hosed systems will there be before anyone listens?
There have already been virii written to take advantage of ADS, but most
of the leading anti-virus scanners won't even scan the ADS.

 

[Daniel L. Belton]

Can't say that I do. You might want to ask over at alt.comp.virus and/or
alt.comp.anti-virus, there are some pretty knowledgeable folks posting
in those groups. You mentioned that you're running Kaspersky resident.
Didn't that catch the trojan as it was being written to disk?

Nope... It didn't catch it, however about a week later one of their
updates had it in there.

The easiest way I've found to delete ADS is with the shell extensions
available at:

http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip

There's one that'll add a "Streams" property sheet from where you can
extract or delete an ADS, and another that'll add a "Streams Size"
column to Windows Explorer. Read the white paper first:

http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf

Thanks! I haven't seen those yet. I'll go give them a look and see
what it looks like