Alternative Data Streams

Alternative Data Streams (ADSes) are a substructure to NTFS. These “streams” are not visible to the Windows file system and thus can be used to hide malicious code. A couple of years ago there was great wringing of hands over the inability of antivirus vendors to detect files hidden inside ADSes. It seems that this has not been rectified.
In the June issue of Information Security Mag, Ed Skoudis compares several antivirus products. When testing these hidden streams, he found that most antvirus vendors are still lacking.
Aware of the threat, but not really educated yet, I searched further. I found a Computerwold article posted to the Symantec site. It said that
1. Alternate Data Streams cannot be removed from a file. The original file will need to be deleted.
2. Windows File Protection introduced in Windows 2000 cannot prevent hackers from adding an ADS with hidden executable code to a system file.
3. Users without “write” permissions to a file cannot add an ADS.
I also found a really cool GIAC paper by Jeff Garrett. In the paper Jeff demonstrates how to use netcat in a ADS to avoid detection by an administrator. Very cool stuff!!
It looks like for now this is more evidence for the need to not perform day to day computer tasks as the administrator. Furthermore it may be a good idea to check on whether your antivirus company scans ADSes.