Alternate Data Stream(ADS) is a feature of Windows New Technology File System(NTFS) which contains metadata for locating a specific file title or author. Alternate data stream was first started in windows NT and is still currently being used in windows 8. Take note having an ADS in a file will not increase the file size, which makes it excellent for attackers to hide a piece of code or malware inside an authenticate malware.
So what is one purpose of the metadata?
Let’s say I downloaded this file called Tutorial 3.pdf online and put it into the directory \test and did a dir. This will be what u see.
When I do a dir /r, I will be able to see if the directory has any ADS.
As you can see, Tutorial 3.pdf has an ADS called Zone.Identifier:$DATA. But what data exactly is this zone identifier holding?
Ok, so i now know that its holding some kind of Zone Transfer data with id = 3. Now does anyone remember about this setting in internet explorer?
It turns out this security setting has this data
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
So by having a zone id of =3, the computer knows the file was from the internet zone!
So what an attacker do with ADS? For example, I have just created a hidden.txt file inside tutorial 3 and did a normal dir, u will notice that the file size has not changed. However, only when i do a dir /r then i can see the changes! Take note the hidden.txt file can also be a .exe file for attackers!
An attacker will then send this unsuspecting normal file to u with a hidden ads in it! So lets say I want to view my hidden file now, I would use the command more < tutorial3.pdf:hidden.txt