PDA

View Full Version : ADS - Alternate Data Stream and code-signing



NewsArchive
10-20-2015, 01:52 AM
Hello friedrich,

just for my understanding:

When one downloads a file from the web onto a NTFS-drive, another files with
ADS-data gets stored. Something like:
Setup.EXE:Zone.Indentifier:$DATA

You can make this critter visible with dir /R.

This file has 26 Bytes, contents is a text which says, from which zone this
downloaded file originates. In most cases it says its from Zone 3, untrusted
web. It seems as if this zone model is equivalent to the one in the Settings of
the Internet Explorer.

DOS-box:

type < your.exe:Zone.Identifier$DATA

When the downloaded file is code-signed, the OS assumes it to be trusted, no
matter what comes with the ADS?

Or when its code-signed and has earned Reputation?

Or does it have nothing todo with it?

Thanks in advance.

( ADS => https://en.wikipedia.org/wiki/Fork_%28file_system%29 )

More details:

http://woshub.com/how-windows-determines-that-the-file-has-been-downloaded-from-the-internet/





Regards,
Wolfgang Orth
www.odata.de

NewsArchive
10-20-2015, 03:14 AM
Hi Wolfgang,

In four words: I HAVE NO IDEA <g>

I have never ever heard of ADS-data, etc. I am sorry.

Friedrich

NewsArchive
10-21-2015, 02:04 AM
Hi Friedrich,

> In four words: I HAVE NO IDEA <g>
>
> I have never ever heard of ADS-data, etc. I am sorry.

It's basically a file in the "shadow" of the primary file. It's not
visible unless you know the secret handshake to Explorer to make it
visible. It is part of the NTFS file system. It's a great place for
malware and viruses to hide out in;)

See:
https://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_.28ADS.29
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Alternate_Data_Streams.html
http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx
https://www.bing.com/search?q=alternate+data+streams&PC=U316&FORM=CHROMN


Here is my experience with ADS<g>

Years ago I bought the Kaspersky virus (yes, it's a virus IMO;) I think
it was version 5. I ran it for quite a while and it worked fine. Then
the next version came out. When I started it, it came up with some
ridiculous time estimate to do the scan, like 60 hours. Normally it
would take an hour or so. I let it chew on it for a while, thinking it
was just bad at estimating. After an hour the estimate had gone up by
about 10 hours.

I stopped it and started investigating and researching and finally found
what was going on. Turned out, that the previous version had added ADS
information to EVERY SINGLE file on my drive and I had over 3 million of
them! The new version was removing this information, which was the
reason for the extraordinary time it was taking to do the first scan.

I had never heard of ADS before this experience. Back then you could
actually see the ADS info in Explorer if you did some trickery - MS
plugged that option in XP SP2 or SP3 if I remember correctly. You could
also see the difference in size of the visible file and the actual file
with the ADS size added. You could also, in Notepad, save to the ADS
shadow file, by using a specific file name spec, which I don't remember
any more. Could have been something like "myfile.txt" and then
"myfile.txt:myshadow" for the ADS. If I remember correctly you could
have multiple so you could have a txt file that showed up as 0 byte in
Explorer and Total Commander, but actually occupied megabytes on the drive!

I removed Kaspersky and have never and will never ever use that
product. EVER. NEVER<g>

I found a utility that could remove ADS information and let it lose.
After about 40 hours and one million files cleaned, I gave up. I'm sure
I still have some files with that old ADS crap from Kaspersky embedded.
Did I say I'll never use that product? I won't!<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
10-21-2015, 02:17 AM
Hi Arnor,

Very interesting! Thanks for sharing the information!!!

Friedrich