copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


Malware utilising Alternate Data Streams?

Date: 21 August 2007

Click here for printable version

Hi Members,

We just wanted to let you know of something we've seen recently that is a little out of the ordinary.

We came across a binary hosted on a malicious website, with the following attributes:

MD5: 739471452ff55649e4dbf2f79bd003d9
SHA1: 09caa0bf8f74964329995d08f65fab137a5674dc
Size: 58880 Bytes
Packer: UPX (standard)

Detection was as follows:

AhnLab-V3 2007.8.9.1 2007.08.09 -
AntiVir 2007.08.08 TR/Obfuscated.GP.41
Authentium 4.93.8 2007.08.08 -
Avast 4.7.1029.0 2007.08.08 -
AVG 2007.08.08 -
BitDefender 7.2 2007.08.09 -
CAT-QuickHeal 9.00 2007.08.08 -
ClamAV 0.91 2007.08.09 -
DrWeb 4.33 2007.08.09 -
eSafe 2007.07.31 suspicious Trojan/Worm
eTrust-Vet 31.1.5043 2007.08.08 -
Ewido 4.0 2007.08.08 -
FileAdvisor 1 2007.08.09 -
Fortinet 2007.08.09 W32/Agent.BSE!tr
F-Prot 2007.08.08 -
F-Secure 6.70.13030.0 2007.08.09
Ikarus T3.1.1.12 2007.08.08 Trojan.Win32.Agent.alt
Kaspersky 2007.08.09
McAfee 5093 2007.08.08 -
Microsoft 1.2704 2007.08.09 -
NOD32v2 2445 2007.08.08 -
Norman 5.80.02 2007.08.08 -
Panda 2007.08.08 -
Prevx1 V2 2007.08.09 -
Rising 2007.08.09 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.09 -
Symantec 10 2007.08.09 -
TheHacker 2007.08.09 -
VBA32 2007.08.09 -
VirusBuster 4.3.26:9 2007.08.08 -
Webwasher-Gateway 6.0.1 2007.08.09 Trojan.Obfuscated.GP.41
Malware detected by 7 vendors out of 32 - 21.875% detection rate.

So, the interesting bit then: This malware makes use of a little known feature of NTFS called Alternate Data Streams, or to those that use Macs: resource forks.

NOTE: This bit is intended for people that DON'T know what an ADS is, and how it works:

See for a code example.

Essentially, you can attach any file to any other file, and make that file (and the storage it consumes) effectively invisible.

Visually it looks like this (given a file called test.txt):


   ::$Data (What explorer shows)





There are no built in windows tools that allow you to view ADS attached to files. If you know the name of the stream, you can access it via a command prompt (as shown in the above kb article).

Oh and if you attach a 500MB file to a 1k file, explorer will still show the file size as 1k. Nice.

Note that the presence of an additional streams in a file do not necessarily indicate the presence of malware, they DO have legit uses:

  • Zone information - IE attaches zone information to files to identify where they were downloaded from (you can use software restriction policies to prevent execution of files downloaded from specific zones)
  • The "Summary" section of a file properties dialog box may contain information stored in ADS.

Several third party tools are available for viewing file streams:

lads.exe (Frank Heyne)
streams.exe (Sysinternals)
gmer.exe (gmer)

Might be time to add one or more of these to the kits ladies and gents.

Anyway, I thought the whole thing was worth a mention. So I did.

We'd love to hear your thoughts, or similar experiences.