In July 1998, InfoWorld Security Watch columnists Stuart McClure and Joel Scambray wrote that NTFS alternate data streams present a threat to information security. McClure and Scambray maintain that malicious users can use alternate streams to hide infected code and that no existing antivirus product can detect or disinfect viruses within an alternate stream. Two years passed, and no one took steps to resolve the situation. In August 2000, two Czech hackers, under the pseudonyms Benny and Ratter, created the W2K.Stream virus. This virus, which cleverly uses alternate streams to carry infected files, is a harsh reminder of the NTFS feature's vulnerability.
What Are Alternate Data Streams?
Microsoft introduced alternate data streams in the early 1990s so that NTFS could act as a file server for Macintosh clients. The Mac OS uses alternate streams called resource forks on the Mac's Hierarchical File System (HFS) to store application metadata such as icons.
In Windows 2000, alternate streams hold summary information that you can specify for a file in its Windows Explorer properties. Unlike the FAT file system, in which files can consist of only one data stream, NTFS lets you create multiple data streams—independent executable modules and various service modules that contain additional data such as file access rights, encryption, and date and time information. In fact, you can treat NTFS files as folders that contain other files. Figure 1 shows a simple representation of the default and alternate data streams.
When you open an NTFS file, the OS automatically executes only the main (i.e., default) stream. However, you can access data that resides in alternate streams by issuing a simple instruction:
For example, if you want to open a stream called test.exe from the file calc.exe, you simply use the string
You can invoke an alternate data stream from other files simply by placing the instruction into the program code. (For more information about alternate data streams, see Mark Russinovich, Internals, "Inside Win2K NTFS, Part 2," Winter 2000.)
At first glance, alternate data streams might seem like a good idea, but let's consider them from a security standpoint. Alternate streams pose a serious threat because they can contain viruses and Trojan horses that are difficult for users and antivirus programs to detect.
In addition, Win2K by default automatically backs up NTFS files' main streams in protected folders (e.g., the Windows system folder) in case users mistakenly modify or delete those streams. However, the OS doesn't provide such a safeguard for alternate streams. Without hindrance or fear of discovery, any user can change, rename, or delete data in an alternate stream—even a stream in a file in the protected Windows system directory. Adding insult to injury, many popular antivirus products don't check alternate streams—they focus primarily on the main (default) stream. We're reminded of a lazy customs officer, who simply out of apathy doesn't bother to check suspicious multicompartmentalized baggage that might contain contraband.
The ultimate detector of hidden data in an alternate stream is an antivirus monitor that checks all files. These devices, which run in the background, monitor all major file operations (e.g., file openings and closings) and check each file for lurking viruses. Today, antivirus monitors fall into two main groups: monitors that check files with no regard to their name and extension and monitors that do pay attention to the names and extensions. The second type of monitor doesn't recognize the filename syntax of alternate streams (i.e., a colon in a stream launch string), considers such files corrupted, and ignores them.
Because monitors have proved to be a reliable antivirus tool, most desktop systems now have them preinstalled. However, many network administrators prefer to use on-demand antivirus scanners—instead of monitors—on server systems. Scanners have less effect than monitors on a system's operating speed and stability, and they require far fewer system resources. Therefore, scanners permit the use of even the most heavyweight antivirus tools, such as heuristic code analyzers, redundant scans, and utilities that search inside compressed and archived files. Activating such options on a monitor could slow the operating speed of standalone computers and networks to a crawl.
Some antivirus experts believe that antivirus products don't need to check alternate streams to catch a hidden virus. Because Win2K automatically executes the default stream when a user opens a file, virus writers plant a starter in the default stream that invokes malicious code residing in the alternate stream. The experts' theory is that an antivirus product with no alternate stream support will still detect the starter in the main stream.
This theory has three important weaknesses. First, an antivirus product with no support for alternate streams can't disinfect an alternate stream—it can only inform a user about the infection. Second, because a virus can give random names to streams, scanning a main stream for a virus starter is like searching for a needle in a haystack. The average antivirus scanner can't determine whether a particular starter accesses harmless data or invokes a malicious program from an alternate stream. Third, at least five methods exist for invoking programs from alternate streams without modifying the default stream. Malicious users can take advantage of these methods to prevent monitors and scanners from detecting a virus.
You might be thinking that if an intruder plants a virus inside an alternate stream, the virus will increase the host file's size—at which point, an alert user or integrity-checking software could detect the invader. Unfortunately, standard methods of file viewing report only on the default stream size. Thus, even if a file includes an alternate stream that carries a virus several megabytes in size, you can't see the change unless you have installed dedicated viewing software on the computer.
Integrity-checking technology has been very successful as add-on software for virus protection. An integrity checker's mode of operation is based on a collection of original prints (i.e., cyclical redundancy check—CRC—values) of files and system sectors. These prints reside in the integrity checker's database. At startup, the integrity checker compares information from its database against current prints and informs the user when changes have occurred. This technology, along with scanners and monitors, can increase the efficiency and reliability of any enterprise's security policy.
Through years of successful operation, integrity checkers have developed many effective methods to battle even the trickiest viruses, including stealth viruses that deceive most antivirus software by temporarily substituting clean files for infected files during virus checks. However, no known integrity checkers can detect changes in alternate data streams. The current research into high-end antivirus technologies still neglects a loophole that lets malicious users create invulnerable viruses by exploiting a simple, well-known NTFS feature.
See for Yourself
To witness the vulnerability of alternate streams, you can conduct a simple experiment that tries the five known methods by which viruses can be activated from alternate streams. All you need is a Win2K Professional system with NTFS installed.
The three file formats that malicious users most commonly use for computer viruses are .exe, .vbs, and .cmd. For this experiment, select or create on your system a file of each format. In our testing, we used the Calculator program (i.e., calc.exe) and wrote two programs, which we named test.vbs and test.cmd. To create test.vbs, we used the instruction
MsgBox "Hello World! (this is VBS file)"
To create test.cmd, we used the instruction
@Echo Hello World! (this is CMD file) @Pause
If you don't include the @Pause statement in test.cmd, Win2K will immediately close the command-prompt window.
Next, choose one more .exe file that you'll use as a dummy file, and be sure to back up the file before you begin. We used the Notepad program (i.e., notepad.exe), from the Windows system directory, as the dummy file.
Now, use the following instructions to copy your three programs to an alternate stream in the dummy file:
type calc.exe > notepad.exe:calc.exe type test.vbs > notepad.exe:test.vbs type test.cmd > notepad.exe:test.cmd
Your dummy file, notepad.exe, now contains three alternate data streams: calc.exe, test.vbs, and test.cmd. Follow the instructions below to use the five known methods to run these alternate streams.
- Select Start, Run, and type this instruction for each stream (include no spaces in the command):
- At the command line, type this instruction for your .vbs stream:
- Create three shortcuts on your Windows desktop, and link each of them to the corresponding stream in the dummy file. As we expected, our test displayed the test.vbs and calc.exe windows and test.cmd failed to start. This scenario proves that .exe and .vbs programs can reach alternate streams through shortcuts. Interestingly, the Notepad shortcuts' icons changed to icons that represent the programs in the alternate streams, as Figure 4, page 48, shows.
- In the Windows Startup folder, instruct Win2K to run the programs that reside in the alternate data streams. Then, reboot the computer or log on again. In our test, the test.vbs and calc.exe windows automatically appeared at startup. The test.cmd file failed to run.
- Modify the registry subkey that controls auto-run programs, as follows: HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunTest=%WIN DIR%\notepad.exe:stream name. For example, HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run, followed by
file:\\%windir%\notepad.exe: <stream name>
file:\\%windir%\notepad.exe:test.vbs file:\\%windir%\notepad.exe:calc.exe file:\\%windir%\notepad.exe:test.cmd
Win2K should launch the .vbs and .exe programs in the alternate data stream with no trouble. Figures 2 and 3 show the results of running the test.vbs and calc.exe programs, respectively. The .cmd program should fail to run.
wscript notepad.exe:<stream name>
In our test, this command opened the same dialog box that Figure 2 shows.
- test1=%WINDIR%\notepad.exe:test .vbs
- test2=%WINDIR%\notepad.exe:calc .exe
- test3=%WINDIR%\notepad.exe:test .cmd
When we rebooted the computer, Win2K executed test.vbs and calc.exe without introducing any modifications to the notepad.exe main stream.
These experiments show that you can use a variety of methods to open .vbs and .exe files in alternate streams. However, attempts to start a .cmd file failed, confirming that Win2K doesn't let you run files of this type directly from alternate data streams. Regardless, you can clearly see that malicious users can add a program to an alternate data stream without modifying the default stream, giving antivirus scanners no starter to detect.
What About W2K.Stream?
So, is the W2K.Stream virus worth the attention that the global technology media paid to it in September 2000? As many antivirus companies' press releases stated, the virus itself poses no real threat. W2K .Stream carries no serious payload; it simply self-replicates. In addition, although W2K.Stream can potentially spread, the virus wasn't detected "in the wild." However, W2K.Stream is important because it proved that alternate streams can hide malicious code.
W2K.Stream replaces the default stream's original content with the alternate stream's virus code and moves the default stream's original content to the alternate stream. (After infection, the file's original content is available in an alternate stream named STR.) When a user executes an infected file, the virus code in the default stream runs first, then passes control to the original program in the alternate stream. Figure 5 shows a representation of this process. Because the virus code resides in the default stream, most antivirus scanners can detect it; however, future viruses that take advantage of alternate streams might try the opposite approach—placing the virus securely inside an alternate stream—and easily evade current antivirus scanners.
Ratter, one of W2K.Stream's authors, has published an article about developing viruses for NTFS alternate data streams. (The article, "Viruses in NTFS," is published in Czech and is available at http://viry.bonusweb.cz/kniha_o_virech/ntfs.html.) Most virus-related Web sites have reproduced the article, sparking a lively discussion among virus writers. The consensus is that alternate data streams represent a primary breeding ground for future computer viruses.
Feature or Bug?
Are alternate data streams a useful feature or a security breach that we need to close sooner rather than later? Despite the vulnerabilities inherent in their structure, multiple streams are an essential NTFS component. Alternate streams give files better flexibility and scalability, so working with files and disks becomes easier and more comfortable. The feature's advantages are more ap-parent when you compare NTFS with the FAT file system.
If we don't want to give up the advantages of alternate streams, we must insist that antivirus tools check these streams. Since 1998, very few antivirus companies have added alternate stream support to their products. Support for alternate data streams must become an industry standard—and the sooner the better.