Introduction to Alternate Data Stream (ADS)

 

 

Alternate data streams are options and a great way to hide malware on your system in several ways
by hiding the malware behind another existing file. Moreover, there are not many antivirus programs that
are able to detect them.

Example of malware using ADS:
1,  infected file malware.exe  in which is located malware starts by compiling a list of all files with
     extension .exe in the C: \ Windows folder
2, gets size of one of them (eg. test.exe)
3, moves test.exe to another folder and makes a backup copy of it (.bak)
4, copies malware.exe to the folder where test.exe was located and renames it to its name.
    Of course now it has fewer bytes than the original test.exe file, so it has to add as many null bytes to its end
    to match the size of the original test.exe file.
    It also sets the icon of the original test.exe file.
5, the backup copy (.bak) will be renamed to original.exe and moved via ADS to test.exe, which is actually
    Malware (test.exe: original.exe)
6, Now, every time the program starts, it will appear to the user that there has been no change (max. it starts
    a little later), but the original.exe program also runs malware (test.exe)

In the example, we program the use of ADS for the file C:\ads\test.txt

You must install the package for the project CodeFluentRuntimeClient via Nuget Packages.

 

  using CodeFluent.Runtime.BinaryServices;
  using System;
  using System.Collections;
  using System.Collections.Generic;
  using System.IO;
  using System.Linq;
  using System.Text;
  using System.Threading.Tasks;

  namespace ADS_stream
  {
    class Program
    {
        static void Main(string[] args)
        {
            FileStream stream = NtfsAlternateStream.Open(@"C:\ADS\test.txt:hidden.txt", 
                           FileAccess.Write, FileMode.OpenOrCreate, FileShare.None);
                            stream.Close();

            FileStream stream1 = NtfsAlternateStream.Open(@"C:\ADS\test.txt:ukryte.txt",
                             FileAccess.Write, FileMode.OpenOrCreate, FileShare.None);
            stream1.Close();

            NtfsAlternateStream.WriteAllText(@"C:\ADS\test.txt:hidden.txt", 
                                          "Write text to hidden file 1");
            NtfsAlternateStream.WriteAllText(@"C:\ADS\test.txt:ukryte.txt", 
                                          "Write text to hidden file 2");

            string text1 = NtfsAlternateStream.ReadAllText(@"C:\ADS\test.txt:hidden.txt");
            string text2 = NtfsAlternateStream.ReadAllText(@"C:\ADS\test.txt:ukryte.txt");

            Console.WriteLine("Result from hidden file: " + text1);
            Console.WriteLine("Result from hidden file: " + text2);

            Console.WriteLine("List of ADS connected to test.txt: ");
            IEnumerable adsStreams = NtfsAlternateStream.EnumerateStreams(@"C:\ADS\test.txt");

            foreach (NtfsAlternateStream ads in adsStreams)
            {
                Console.WriteLine(ads.Name);
            }

            Console.ReadLine();
        }
    }
  }