The Dark Side of NTFS (Microsoft’s Scarlet Letter)
by H. Carvey
Introduction
Microsoft platforms continue to proliferate and multiply. Corporate server and desktop systems are running Windows NT (NT) and Windows 2000 (2K), while home user and student systems are running Windows XP (XP). These platforms are extremely popular, and in widespread use. However, very little is known by the administrators and users of these systems about a feature of the NTFS file system called "alternate data streams".
NTFS is the preferred file system due to its stability, functionality, and the level of security it provides. NTFS alternate data streams (ADSs) are provided for compatibility with the Macintosh Hierarchical File System (HFS), which uses resource forks to maintain information associated with a file, such as icons, etc (RUSS00). While Microsoft provides a means for creating specific ADSs via Windows Explorer, the necessary tools and functionality for detecting the presence of arbitrary ADSs is conspicuously absent. Oddly enough, the operating systems have the necessary native functionality and tools to allow a user to create ADSs and to execute code hidden within those streams. Microsoft KnowledgeBase article Q101353 acknowledges the fact that the Win32 base API supports ADSs inconsistently.
The purpose of this paper is to describe in detail how ADSs are created and manipulated, and how code hidden in ADSs can be executed. Specific differences in the treatment of ADSs by NT, 2K, and XP will be noted.
Creating ADSs
The syntax used to create ADSs is relatively simple and straightforward. To create an ADS associated with the file "myfile.txt", simply separate the default stream name from the ADS name with a colon.
c:\ads>echo This is an ADS > myfile.txt:hidden
Additionally, an ADS can be created using the contents of another file.
c:\ads>echo This is a test file > test.txt
c:\ads>type test.txt > myfile.txt:hidden
The ADS can then be verified using Notepad.
c:\ads>notepad myfile.txt:hidden
However, none of the variations of the ‘dir’ command nor any available switches or settings for Windows Explorer will detect the presence of this newly created ADS.
Additionally, ADSs can be created and associated with the directory listing, rather than a file. This peculiarity will take on some significance later in this article, but for now it’s sufficient to describe how such ADSs can be created.
c:\ads>echo This ADS is tied to the directory listing > :hidden
ADSs of this type can be created with Notepad and the ‘type’ command, as well.
The content of ADSs should not be considered limited to simply text data. Any stream of binary information can constitute a file, and the ADS is nothing more than a file. Executables can be hidden in ADSs quite easily.
c:\ads>type c:\winnt\notepad.exe > myfile.txt:np.exe
c:\ads>type c:\winnt\system32\sol.exe > myfile.txt:sol2.exe
Similarly, image files, audio files, or any other stream of data can be hidden in ADSs.
Finally, Windows Explorer provides a means by which very specific ADSs can be created (RUSS00). If the user opens Explorer and chooses a file, and then right-clicks on that file, a drop-down menu appears. Choosing "Properties" will open a Properties dialogue, and choosing the Summary tab (see Fig. 1) will reveal fields in which the user can insert information.
Figure 1: Summary Tab of Properties Dialogue
ADSs have no attributes of their own, per se. The access rights assigned to the default unnamed stream control access for creating or viewing ADSs. Quite simply, if a user cannot write to a file, that user cannot add an ADS to that file. Further, while Windows File Protection prevents the replacement of protected system files, it does not prevent a user with the appropriate permissions from adding ADSs to those system files. The System File Checker (sfc.exe) will verify that protected system files have not been overwritten, but will not detect ADSs.
Users and administrators should also be aware of KB article
Q319300
, which states that the Windows 2000 Content Indexing Server adds alternate
data streams named "?Q30lsldxJoudresxAssqpcawXc" to image files on NTFS volumes.
These ADSs contain thumbnails of the images.
Detecting, Viewing, and Manipulating ADSs
As previously stated, Microsoft provides no tools or utilities either within
the operating system software distribution or the Resource Kits for detecting
the presence of ADSs. One of the best tools available for this is lads.exe,
written by Frank Heyne
. Lads.exe is currently available as version 3.01, and does an excellent
job of reporting the availability of ADSs. For administrators used to working
with graphical tools, lads.exe is a command line interface (CLI) tool that
reports its findings to the screen (i.e., standard output or STDOUT). Figure
2 shows an example lads.exe output, run against the test directory, c:\ads.
Figure 2: LADS Output for c:\ads
Figure 2 shows just how useful lads.exe can be. Not only does the utility report the presence of ADSs, but it also reports the full path and size for each ADS. Particular note should be taken of the three of the ADSs associated with myfile.txt. Two begin with an ASCII character resembling the spade from a playing card, and the third is a long series of numbers and letters between two curly braces. These are the ADSs that were associated with the file using the Summary tab of the Properties dialogue (fig. 1).
Once an ADS is detected, what can be done to view its contents? Notepad is a very handy utility for viewing files, and can be used for viewing the contents of ADSs. However, there is a catch. For example, the following command produces unexpected results:
c:\ads>notepad myfile.txt:hidden
When this command is executed, Notepad opens and asks if the user wishes to create a new file. This is an unusual request, because the ADS was created earlier. In order to observe the expected results enter the following commands:
c:\ads>echo This is another ADS > myfile.txt:hidden.txt
c:\ads>notepad myfile.txt:hidden.txt
The same effects can be observed when the ADS is associated the directory listing, as in ":hidden.txt". The addition of the extension on the end of the filename allows the ADS to be opened in Notepad. This will also work for other ADSs, such as:
c:\ads>notepad myfile.txt:np.exe
ADSs are a feature of the NTFS file system, so if a file with an ADS is moved to a disparate file system, such as FAT, FAT32, or ext2, the ADS is removed, as it is not supported on these other file systems. ADSs are preserved if the default unnamed stream (i.e., myfile.txt from the previous examples) is copied or moved across NTFS partitions, or even to a mapped NTFS drive. This can be accomplished using the ‘copy’ or ‘move’ commands, as appropriate.
Removing all ADSs from a default stream is relatively simple, using the following commands:
c:\ads>type myfile.txt > myfile.bat
c:\ads>del myfile.txt
c:\ads>ren myfile.bat myfile.txt
Using LADS, it is easy to verify that all ADS created in the above examples have vanished.
Executing ADSs
In previous examples, executables were hidden in ADSs. This information seems fairly useless unless the executables themselves can be launched, without the overhead of having to copy them out of the ADS first. In fact, the ‘start’ command can be used to do just that. Since the executables hidden earlier were deleted, rerunning the commands will serve the purpose of an example. Using the ‘type’ command, hide Notepad and Solitaire in ADSs associated with myfile.txt.
On NT, a simple command will launch either executable (MCCL99):
c:\ads>start myfile.txt:np.exe
c:\ads>start myfile.txt:sol2.exe
However, these commands generate an error on 2K. From the error message, it appears as if the information pointing to the executable wasn’t sufficient. Therefore, either absolute or relative paths should suffice, and running either of the following commands will demonstrate this:
c:\ads>start c:\ads\myfile.txt:np.exe
c:\ads>start .\myfile.txt:np.exe
An interesting item to note is how the process appears while running.
For example, running pslist.exe from SysInternals after executing either
of the above two commands displays a process called "myfile.txt" running with
a PID of 1512, as shown in figure 3.
Figure 3: Process listing using pslist.exe
Figure 4 shows the process running in the Process tab of the TaskManager.
Figure 4: Process Tab of 2K Task Manager
Oddly enough, the Process tab on 2K shows that PID 1512 has an Image Name
of "myfile.txt". Figure 5 shows the Application tab of the Task Manager.
Figure 5: Applications Tab of 2K Task Manager
Figure 6 shows that the Process tab of the Task Manager on XP displays
when the same command is executed on that operating system.
Figure 6: Process Tab of XP Task Manager
Finally, obtaining information about the process with listdlls.exe from
SysInternals will display "c:\ads\myfile.txt:np.exe" as the command line for
the above command (see fig. 7), on both 2K and XP.
Figure 7: Output of listdlls.exe on 2K
An alternative method for launching hidden executables on 2K is a shortcut (KASP01). To demonstrate the point, create a shortcut on the desktop. The location of the item for this shortcut should be "c:\ads\myfile.txt". Once the shortcut has been created, observe the icon on the desktop. Assuming the ADS for Solitaire was created, edit the Properties of the shortcut so that the target now refers to "c:\ads\myfile.txt:sol2.exe". Wait a few seconds and observe any changes to the icon. Launch the executable by double-clicking the icon.
Interestingly enough, as similar technique works by adding an entry to the Windows Startup Folder (KASP01) or to the ‘Run’ key in the Registry (KASP01). The full path to the key is:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Specifying the complete path to the hidden executable will guarantee that it is launched the next time the system is started.
Yet another method for launching executables hidden in ADSs is via the ‘Run’ box in the Start menu (KASP01). Clicking on the Start button, then "Run", and typing the following command will launch the Solitaire ADS:
file:///c:/ads/myfile.txt:sol2.exe
For administrators using Perl , the Perl interpreter handles ADSs quite easily. For example, the following lines of Perl code make use of backticks to launch an ADS:
my $file = 'c:\ads\myfile.txt:sol2.exe';
`$file`;
Save the above code as ‘ads.pl’, and execute the code by typing:
c:\perl>ads.pl
As an interesting variation, the following code also works:
c:\perl>type ads.pl > myfile.txt:ads.pl
c:\perl>perl myfile.txt:ads.pl
The Windows Scripting Host (WSH) began shipping with 2K and presents some interesting possibilities with regards to ADSs (KASP01). This is particularly important because WSH is native to the 2K and XP distributions, while Perl must be installed separately. To demonstrate the capabilities of WSH, type the following command:
c:\ads>echo MsgBox "VBS file to test ADSs" > ads.vbs
To execute the script using WSH, type:
c:\ads>wscript ads.vbs
Alternatively, type:
c:\ads>cscript ads.vbs
Or, simply double-click the file in Windows Explorer. All three of these methods will run the VBScript code. Now type the following commands:
c:\ads>type ads.vbs > myfile.txt:ads.vbs
c:\ads>wscript myfile.txt:ads.vbs
Or:
c:\ads>start .\myfile.txt:ads.vbs
Cscript.exe also runs the script. Alternatively, the shortcut and Run box methods mentioned above also run the script (KASP01).
The Really, Really Dark Side
If the script hidden in an ADS ends with a different extension (i.e., other than ".vbs"), WSH has trouble recognizing the type of file, and will complain that an engine for executing the file cannot be found. For example:
c:\ads>type ads.vbs > myfile.txt:ads.txt
c:\ads>wscript myfile.txt:ads.txt
Executing the second command above results in the error described. However, both wscript.exe and cscript.exe have switches that allow the administrator to control the execution of the program. The command syntax can be seen by typing:
c:\ads>wscript /?
The "//E" switch allows the user to specify an engine to be used. The new command looks like:
c:\ads>wscript //E:vbs myfile.txt:ads.txt
This provides some interesting opportunities for malicious use. For example, the earlier example of ADSs produced via Windows Explorer (i.e., the Summary tab of the Properties dialogue for a file) produced on ADS with the name "♣SummaryInformation". Code, such as VBScript, can be created and written to an ADS with the same name, and then launched. The following Perl code illustrates this:
my $file = "c:\\ads\\myfile.txt:".chr(5)."SummaryInformation";
my $src = 'c:\ads\ads.vbs';
`type $src > $file`;
`wscript //E:vbs $file`;
The final command in the script is the one of interest. For both wscript.exe and cscript.exe, the "//E" switch forces the application to use a particular script engine. In this case, the ADS containing the script to be launched has no file extension, so the scripting host has no means for determining the scripting engine to be used. This example could also apply quite easily to ADSs created by the Content Indexing Server, as mentioned above.
Conclusion
ADSs are a feature of the NTFS file system intended to provide compatibility with HFS, which may still be necessary for compatibility. However, the lack of visibility of this "feature" poses a significant risk for administrators. There has already been one virus released that employed ADSs, W2K.Stream written by Bennie and Ratter of the group 29A (KASP01). As the release of malware and incidents of cybercrime increase, the malicious use of ADSs will likely increase as well.
The solution is not to stop using the NTFS file system, as the benefits in security and reliability are too great. This "feature" has remained part of the file system since NT 3.1. Given the circumstances, a far more prudent solution would have been to include support for HFS files in the File and Print Services for the Macintosh, rather than the file system. As it is, administrators should make judicious use of discretionary access control lists (DACLs) on files and directories (CARV00), and regularly scan their critical systems using utilities such as lads.exe. In addition, Microsoft should be lobbied to add the ability to detect and view ADSs to Windows Explorer and the command interpreter. A more than appropriate measure would be to have ADSs appear in Windows Explorer by default, using an icon with a scarlet "A" to signify an ADS. Additionally, Microsoft should provide restrictions within the operating system for creating processes from executable files whose names contain a colon.
Further, antivirus software vendors should include support for ADSs within their products by default. While many of the worms seen over the past year or more have been executables written in Visual Basic or Delphi, others have been Visual Basic scripts. This malware has been capable of wreaking considerable havoc, and all prudent steps should be taken to protect systems.
References
RUSS00 Russinovich, M., Inside Win2K NTFS, Part 2 , Windows 2000 Magazine, November, 2000
MCCL99 McClure, S., Scambray, J., and Kurtz, G., Hacking Exposed: Network Security Secrets and Solutions, Berkeley: Osbourne, 1999
KASP01 Kaspersky, E. and Zenkin, D., NTFS Alternate Data Streams , Windows and .Net Magazine, Spring 2001
CARV00 Carvey, H., Network Trojans: What You REALLY Need To Know , Information Security Bulletin, Vol. 5, Issue 8