Thursday, December 30, 2004

Interesting ADS tool

In following up some leads with information on NTFS Alternate Data Streams (ADSs), I ran across an interesting tool, called Stream Explorer. This one looks very interesting, and should definitely be included on any Windows IR CD. Use something like LADS or CrucialADS to scan a system for ADSs, then use Stream Explorer to see what's in those ADSs.

ADSs have increasingly been an issue over the years, largely due to the fact that while Windows admins don't seem to be familiar with them at all, the "bad guys" are. ADSs are used by malware, and by pen-testers to hide tools.

ADSs have been part of my presentations for a couple of years, going back even to DefCon9. SP2 for XP has added a couple of new wrinkles to the mix; I'm talking about the zoneID added to files downloaded via IE or as OutLook attachments. These zoneID ADSs tell the Explorer shell to post a warning dialog to the user when the files are accessed (double-clicked). Quite expectedly, the zoneIDs are ignored by the command prompt (cmd.exe).

Have you seen ADSs in use on systems? If so, give me some specifics...