A Gift
You Can Do Without
By David Shamah,
The
Who doesn’t love getting
gifts? Most people can’t wait for birthdays and holidays – half the fun is in
anticipating what your friends and family are going to give you. What will it
be this time? And when the big day comes, you eye the beautifully wrapped
package, practically salivating with anticipation: What terrific surprise am I
going to get today?
Well, I hope it’s not the
surprise you’re going to hear about in this story! Getting a birthday present
or holiday gift surprise is one thing; but getting a surprise package in a text
file you thought was completely safe and secure is something else altogether.
Your 50k text file, for example, could be a perfectly safe-looking text file
that comes up clean on your virus scanner. But that same clean, safe 50K file
could have a hidden component – maybe a 5 mb
executable file that will do who-knows-what when it gets executed! Imagine that
– a text file that looks, acts, and presents itself like a 50k text file – with
a hidden program, possibly (maybe even likely) a virus attached to it, that
doesn’t show up in your Windows file list, a virus scanner, or a disk search!
Am I describing a new
nefarious virus technology? Is it another spyware program making the rounds?
Are these the rantings of a paranoid computer
journalist?
No and no and no. The
phenomena I am describing – wherein a perfectly innocuous looking file or
directory that has an “official” Windows size of even 1K (as listed in the
Windows Explorer Details view) could have an extra hidden component with even
hundreds of megabytes of data – is not only NOT a secret hacker plot or spyware
exploit; it’s a built-in feature of Windows, and has been since the earliest
editions of Windows NT! That’s right – You can create a file of any size or
type that consists of one set of data, AND have a second, secret, completely
invisible set of data attached to it, including executables, which can be
scripted to run on your system without your even knowing it! I can do it, you can
do it, and you can be sure that no-goodnik hackers
can do it (in fact, they already have). And you can’t really do anything to
stop this phenomenon – because it’s a built-in feature of Windows. It’s a free
surprise “gift” you get when you install Windows 2k or XP and format your disk
for NTFS – a gift you’ve probably never heard about, and one you might not have
wanted had you known you were going to get it!
Oh, it didn’t start out as a
hacker tool, of course. The original programmers and architects of Windows must
have been true Ethical Humanists. They trusted the computing public – who could
have imagined that features they built into the system to make life easier for
the rest of us would ever be used for sinister purposes?
That seems to have been the
case here. Alternative Data Streams, the hidden file components I’ve described,
were designed to allow file exchange compatibility with Macintosh OS users. Mac
files have two data streams, too – a data and resource fork. In order to allow
Windows NT (and 2000 and XP) users to work with Macs on office networks,
Windows lets users create files with two streams on computers using NTFS (NT
File System), which parallels the Mac’s HFS (Hierarchical File System). On a
Mac, for example, a picture contains the JPEG data and a representative icon,
stored in two different streams; The NTFS Alternative Data Stream (ADS) setup
allows the icon to be displayed when the file is transferred to a PC.
It’s a good example of what
could be called “civic computing” – anybody who has to juggle work between Macs
and PCs certainly appreciates this feature. But, unfortunately, features like
this are also exploited by people who are decidedly un-civic in their world
view. Anybody can create one of these ADS files right on their own computers;
you don’t have to have access to a Mac to do this!
Want to play “hacker?” Do
this: On your NTFS drive, create a new text file called “new” with a few lines
in it – it should list at about 1 KB. Now find a big text file on your drive
(we’ll call it “bigtextfile.txt” in the example), maybe a log file that was
created by some program. Open up a command window and run this command:
c:\ type bigtexfile.txt >
new.txt:hidden
And that’s all there is to
it. Notice that new.txt is still listed in Explorer at 1 KB. The only hint you
have that something’s changed is when you try to open the file in Notepad; it
should now take significantly longer to open that before our little experiment.
That’s because there’s so much more data to load now. But you won’t see the new
data in Notepad; it’s hidden!
Looks bad for your NTFS
Windows system, don’t it? Well, things could be worse. Mac users who have tried
to download Mac programs onto a PC know that the files don’t work when they
transfer them to their Macs – because PCs using normal PC data transfer
methods, like FTP and e-mail, will only transfer the file itself, not the
stream. Streams can’t be executed directly; you can’t double click on a text
file that has a virus hidden in its stream and load the virus. But, given the
right set of circumstances, the hidden virus could still prove a problem.
Streams can be transferred in the form of VBS files, and at least one
mass-distributed virus has been distributed in this manner (see http://craiu.pcnet.ro/papers/papers/potok.html).
A programmer could write a simple script that would instruct a viral payload to
copy itself into a hidden stream on a file that is common and commonly used on
all PCs – like notepad.exe, for example. Keep in mind that a stream can be
attached to any item on your computer: a file, an empty directory, or even an
NTFS hard drive – in which case, the only way out is to reformat the drive! A
good resource page, with more than you ever wanted to know about Alternative
Data Streams (and NTFS in general) is available at http://lists.gpick.com/pages/NTFS.htm.
If you’re on a network that has at least one FAT-formatted hard drive, you can
get rid of the stream by copying the suspect file over to the FAT drive.
Instructions for manually removing ADS from files can be found at
http://www.snausage.com/tutorials/ads.html
Do anti-virus programs work
on these files? Most of the latest editions of the major ones do check files
for hidden streams, but not all do; and if you have an older (like more than
18-24 months old) virus program, it might not be checking for them at all! Note
that I am not talking about a profile update, but a newer version of the
program itself. ADS, as mentioned, was never a hidden aspect of Windows, but
was also not very well known, so many anti-virus programs never included
features to check for them in virus scans. One tried and true method for ADSs to wreak havoc is to just write data to a stream; it
doesn’t necessarily do anything to your hard drive or system files other than
fill empty space with useless data. Eventually, your computer gets so top-heavy
with junk your system just won’t work anymore, and your only hint will be the
interminable amount of time it takes to load a program or a file; your
anti-virus program probably won’t notice that anything is askance, because you
won’t be running any rogue executables! And your file system will indicate that
your computer has plenty of disk space available!
Whether or not your
anti-virus program is on the case, I do have a handy program you can download
for free to deal with this problem. CrucialADS is a
most useful tool that will scan an NTFS hard drive and search out files with
Alternative Data Streams – when it finds one, it lists
the file in red in the program window, listing the name and other info about
it. Note that there are no built-in Windows tools to find these files – you’re
forced to rely on the generosity of companies like Crucial Security, who, out
of the goodness of their hearts, provide the computing community with very
useful tools like this for free. It’s a good thing they’re nice enough not to
hold suckers like us over a barrel and charge an arm and a leg for CrucialADS - which they could do. And what alternative
would we have if they wanted to? If you want to use Windows, you’re stuck with
ADS. When Microsoft gives you a “gift” like this, they don’t take no for an
answer!
Get CrucialADS
for free from http://www.crucialsecurity.com/downloads.html.
Send comments or questions
to ds@newzgeek.com. Also check out http://www.newzgeek.com