Hiding an EXE or Virus inside a TXT file or JPG.
AKA: Alternate Data Streams – An introduction…
One of the members of a technical forum to which I belong had a virus detected in a dll that he could not find anywhere on his computer. In the end, it was discovered that the file was embedded as Alternate Data Stream (ADS) attached to his System32 directory. The full path to the file was something simlar to c:\windows\system32:dhht.dll.
I was not familiar with using streams in this manner; so I looked it up. In short, any file or directory on an NTFS drive can any number of files piggy-backed onto it without affecting its reported file size. These files remain intact through normal file copying and renaming actions as long as the file remains on an NTFS drive (or compatible archiver).
I’d never come across this before and thought I would share.
Summary/Demo…. (adjust paths as necessary)
- Create a directory off the root called test
From the command prompt in your test directory type:
[DOS]Echo a>test.txt[/DOS]
That will create a nice 3 byte text file. - Now type:
[DOS]type c:\Windows\system32\notepad.exe>test.txt:notepad.exe[/DOS] - Get another directory listing and notice that the size of test.txt remains 3 bytes though an additional ~70kb has been added to it. The time has changed but that could be set back.
- Now, from the command prompt in your test directory, execute the hidden stream:
[DOS]start \test\test.txt:Notepad.exe[/DOS]
(You must use include the path to test.txt)
You are now running an exe that was hidden in 3 byte text file!
As far as Windows is concerned, that file takes up only enough space for three characters. Yet it’s got this hidden back end on it. That txt file could be taking up any amount of space. Perhaps it is storing 5 gigs of pictures in it. Who knows?
Windows supplies no tools to display this. The zip file referenced in this article, includes an exe that does.
The Task Manager shows the running proces in different ways depending upon your Windows version. In SP2, the executable is listed as test.txt:Notepad.exe. However, in earlier versions of windows, only the host file is listed. So, if you’d embeded Notepad.exe in calc.exe, calc.exe would be in the task list even though you’d be running Notepad. Nifty huh?
Of course, you’ll have to find a transport/archiver that supports these streams, if you want to distribute them. Outlook and WinZip do not seem to do so.
Apparently ADS are there for backwards compatibility with a Macintosh file system (HFS), but I’m not sure why we’d want/need that… Some Windows apps use it for other things. For example when you download an exe file through IE, MS helpfully edits the file for you and attaches an ADS that stores the Zone under which the file was downloaded. As a result you are NEVER getting the same file that was on the internet. Developers should be aware of this when they deploy software via a website.
In short, while Alternative Data Streams do add some flexibility to the operating system, the incomplete implementation of the feature makes ADS more of an avenue for abuse than a feature.