Alternate Data Streams is a file system vulnerability, where the attacker can easily hide the malware in the Alternate Data Stream(ADS) of the file so that it can’t be scanned by the traditional file viewing softwares.
To understand the Alternate Data Streams, you’ve to read the following article which outlines it’s origin and how it’s useful in today’s world. It also showcases the security challenges which ADS faces.
💡
Article : Alternate Data Streams: An Overview | NinjaOne
Alternate Data Streams(ADS) is an NTFS (New Technology File System) attribute which let’s us store additional data into a file’s alternate stream where the additional data we’re storing doesn’t affect the original data of the file. We’ve come across movies that we download or videos that we download using different tools and these videos have a picture(thumbnail) which is displayed instead of the VLC icon(incase you’ve set the VLC media player as default player for this filetype). This happens because the file that we’re looking at has an Alternate Data Stream(ADS) where the thumbnail and metadata is stored. Our file explorer directly shows us the thumbnail instead of the VLC icon.
Any file created in NTFS (New Technology File System) will have two data streams:
Data Stream : Default stream that contains data of the file
Resource Stream : Typically contains the metadata of the file
Attackers can use this metadata to hide their payloads into legitimate files to evade the Antivirus (AV) softwares. They store the payload(malicious code or executables) into the Resource Stream of the file.
This technique is used to evade basic signature based AVs and static scanning tools.
Hands-On
A metadata file is created in the alternate stream of the test.txt i.e. secret.txt
Even the size of test.txt will be zero if nothing is written in test.txt and secret.txt has some text.
To pass the exe file into the text file’s ADS, we can use the below command:
payload.exe > filename.txt:executable.exe
and now you’ll think that the size of the file is increased to the size of the payload but wanna see magic:
Still 0 KB
Now, we’ll need privileges in order to perform the winupdate link change so that we can run the executable. We can use UACMe to gain escalated privileges and run cmd.exe instead of the payload (backdoor.exe) with escalated privileges and then make this symbolic link.
And now on execution of wupdate that is done on every windows update check the application can be run.
Top comments (0)