A Gift You Can Do Without

                    

By David Shamah, The Jerusalem Post, February 20, 2004

 

Who doesn’t love getting gifts? Most people can’t wait for birthdays and holidays – half the fun is in anticipating what your friends and family are going to give you. What will it be this time? And when the big day comes, you eye the beautifully wrapped package, practically salivating with anticipation: What terrific surprise am I going to get today?

 

Well, I hope it’s not the surprise you’re going to hear about in this story! Getting a birthday present or holiday gift surprise is one thing; but getting a surprise package in a text file you thought was completely safe and secure is something else altogether. Your 50k text file, for example, could be a perfectly safe-looking text file that comes up clean on your virus scanner. But that same clean, safe 50K file could have a hidden component – maybe a 5 mb executable file that will do who-knows-what when it gets executed! Imagine that – a text file that looks, acts, and presents itself like a 50k text file – with a hidden program, possibly (maybe even likely) a virus attached to it, that doesn’t show up in your Windows file list, a virus scanner, or a disk search!

 

Am I describing a new nefarious virus technology? Is it another spyware program making the rounds? Are these the rantings of a paranoid computer journalist?

 

No and no and no. The phenomena I am describing – wherein a perfectly innocuous looking file or directory that has an “official” Windows size of even 1K (as listed in the Windows Explorer Details view) could have an extra hidden component with even hundreds of megabytes of data – is not only NOT a secret hacker plot or spyware exploit; it’s a built-in feature of Windows, and has been since the earliest editions of Windows NT! That’s right – You can create a file of any size or type that consists of one set of data, AND have a second, secret, completely invisible set of data attached to it, including executables, which can be scripted to run on your system without your even knowing it! I can do it, you can do it, and you can be sure that no-goodnik hackers can do it (in fact, they already have). And you can’t really do anything to stop this phenomenon – because it’s a built-in feature of Windows. It’s a free surprise “gift” you get when you install Windows 2k or XP and format your disk for NTFS – a gift you’ve probably never heard about, and one you might not have wanted had you known you were going to get it!

 

Oh, it didn’t start out as a hacker tool, of course. The original programmers and architects of Windows must have been true Ethical Humanists. They trusted the computing public – who could have imagined that features they built into the system to make life easier for the rest of us would ever be used for sinister purposes?

 

That seems to have been the case here. Alternative Data Streams, the hidden file components I’ve described, were designed to allow file exchange compatibility with Macintosh OS users. Mac files have two data streams, too – a data and resource fork. In order to allow Windows NT (and 2000 and XP) users to work with Macs on office networks, Windows lets users create files with two streams on computers using NTFS (NT File System), which parallels the Mac’s HFS (Hierarchical File System). On a Mac, for example, a picture contains the JPEG data and a representative icon, stored in two different streams; The NTFS Alternative Data Stream (ADS) setup allows the icon to be displayed when the file is transferred to a PC.

 

It’s a good example of what could be called “civic computing” – anybody who has to juggle work between Macs and PCs certainly appreciates this feature. But, unfortunately, features like this are also exploited by people who are decidedly un-civic in their world view. Anybody can create one of these ADS files right on their own computers; you don’t have to have access to a Mac to do this!

Want to play “hacker?” Do this: On your NTFS drive, create a new text file called “new” with a few lines in it – it should list at about 1 KB. Now find a big text file on your drive (we’ll call it “bigtextfile.txt” in the example), maybe a log file that was created by some program. Open up a command window and run this command:

 

c:\ type bigtexfile.txt > new.txt:hidden

 

And that’s all there is to it. Notice that new.txt is still listed in Explorer at 1 KB. The only hint you have that something’s changed is when you try to open the file in Notepad; it should now take significantly longer to open that before our little experiment. That’s because there’s so much more data to load now. But you won’t see the new data in Notepad; it’s hidden!

 

Looks bad for your NTFS Windows system, don’t it? Well, things could be worse. Mac users who have tried to download Mac programs onto a PC know that the files don’t work when they transfer them to their Macs – because PCs using normal PC data transfer methods, like FTP and e-mail, will only transfer the file itself, not the stream. Streams can’t be executed directly; you can’t double click on a text file that has a virus hidden in its stream and load the virus. But, given the right set of circumstances, the hidden virus could still prove a problem. Streams can be transferred in the form of VBS files, and at least one mass-distributed virus has been distributed in this manner (see http://craiu.pcnet.ro/papers/papers/potok.html). A programmer could write a simple script that would instruct a viral payload to copy itself into a hidden stream on a file that is common and commonly used on all PCs – like notepad.exe, for example. Keep in mind that a stream can be attached to any item on your computer: a file, an empty directory, or even an NTFS hard drive – in which case, the only way out is to reformat the drive! A good resource page, with more than you ever wanted to know about Alternative Data Streams (and NTFS in general) is available at http://lists.gpick.com/pages/NTFS.htm. If you’re on a network that has at least one FAT-formatted hard drive, you can get rid of the stream by copying the suspect file over to the FAT drive. Instructions for manually removing ADS from files can be found at http://www.snausage.com/tutorials/ads.html

 

Do anti-virus programs work on these files? Most of the latest editions of the major ones do check files for hidden streams, but not all do; and if you have an older (like more than 18-24 months old) virus program, it might not be checking for them at all! Note that I am not talking about a profile update, but a newer version of the program itself. ADS, as mentioned, was never a hidden aspect of Windows, but was also not very well known, so many anti-virus programs never included features to check for them in virus scans. One tried and true method for ADSs to wreak havoc is to just write data to a stream; it doesn’t necessarily do anything to your hard drive or system files other than fill empty space with useless data. Eventually, your computer gets so top-heavy with junk your system just won’t work anymore, and your only hint will be the interminable amount of time it takes to load a program or a file; your anti-virus program probably won’t notice that anything is askance, because you won’t be running any rogue executables! And your file system will indicate that your computer has plenty of disk space available!

 

Whether or not your anti-virus program is on the case, I do have a handy program you can download for free to deal with this problem. CrucialADS is a most useful tool that will scan an NTFS hard drive and search out files with Alternative Data Streams – when it finds one, it lists the file in red in the program window, listing the name and other info about it. Note that there are no built-in Windows tools to find these files – you’re forced to rely on the generosity of companies like Crucial Security, who, out of the goodness of their hearts, provide the computing community with very useful tools like this for free. It’s a good thing they’re nice enough not to hold suckers like us over a barrel and charge an arm and a leg for CrucialADS - which they could do. And what alternative would we have if they wanted to? If you want to use Windows, you’re stuck with ADS. When Microsoft gives you a “gift” like this, they don’t take no for an answer!

 

Get CrucialADS for free from http://www.crucialsecurity.com/downloads.html.

 

Send comments or questions to ds@newzgeek.com. Also check out http://www.newzgeek.com