Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Windows Alternate Data Streams Revisited SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Alternate Data Streams Revisited
An oldie but goodie has reared its familiar head, this time in the manner of a posting to Bugtraq and Full Disclosure lists. Windows NTFS supports multiple streams of data for any given file ( While the functions that access ADSs are clearly defined by Microsoft, very few Windows tools can view these alternate data strams (ADS) without some added help. In addition, many third-party sotware developers ignore the possible presence of ADSs, thus providing a wonderful storage location for malicious code.

The Bugtraq posting mentions a few antivirus tools that fail to detect known malware when stored as ADSs. The Internet Storm Center has not tested any of these claims, but we have no reason to dispute them as we have seen this time and time again.

Ryan Means wrote an excellent paper (GCFW honors) that discusses Alternate Data Streams in depth, presents a number of tools to locate and manipulate ADSs, and presents an extension to Windows Explorer to directly report the presence of ADSs. You can pull it from the SANS Reading Room at:

25 Posts
Jun 6th 2006

Sign Up for Free or Log In to start participating in the conversation!