• Dana Epp

The Dark Side of NTFS (Microsoft's Scarlet Letter)

Updated: Mar 16, 2018

If you run on a Windows platform you no doubt have heard about NTFS. Its a fast, stable and secure file system that has worked great since the old NT 3.51 days.

This isn't new, but it seems people still aren't aware that NTFS Alternative Data Streams (ADS) can easily be used as an attack vector to hide malicious code. If you didn't know, you can hide alternate data in a NTFS file. This little trick has been used in the past for indexing files, store secondary data and even used to store particular security tag information (this was a very weak approach, which was quickly dropped).

There is a good example of how to create hidden ADS, so I won't bore you here. Instead I will comment on its use.

If you were to write out a malicious code segment into an ADS, the presentation layer of the operating system won't see it. Don't believe me? Watch this:

c:\> echo Alice knows Bob's secret > foo.txt

c:\> dir foo.txt

1/23/2017 08:25 AM 28 foo.txt

Ok, so we know its 28 bytes. Now watch this.

c:\> echo Alice know's Bob's secret > foo2.txt:hidden

c:\> dir foo2.txt

1/23/2017 08:26 AM 0 foo2.txt

That's right you read that correctly. 0 bytes. The system doesn't see it. Can you see the possibilities here? You can easily hide an attack script in the ADS and execute arbitrarily later.

What is worse is that most (read: All but 1 or 2 I believe) anti-virus products in the field do NOT scan ADs in enough depth for malicious code, which means the meatheads can embed their virii within the alternate data stream. Yippe. :(

In a previous life when I was working on a HIPS I was forced to place a "Request for Engineering Change" order in to deal with this. It took several years before we saw some more common use of countermeasures to watch for ADS reads and writes.

But ADs are still in use. It's actually how Windows determines if a file is safe to execute that was downloaded from the Internet. If it finds an ADS called "Zone.Identifier" with a ZoneId of 3, it blocks execution. Of course, you can strip this away with a simple PowerShell cmd:

Remote-Item .\somefile.exe -Stream Zone.Identifier

Or... if you have PowerShell 4 or higher you can use a built in cmdlet:

Unblock-File somefile.exe

Alternative Data Streams are very useful. Unfortunately... then can also be used for evil. Fun stuff.