Valuable Win2K feature or dangerous bug?
In July 1998, InfoWorld Security Watch columnists Stuart McClure and Joel Scambray wrote that NTFS alternate data streams present a threat to information security. McClure and Scambray maintain that malicious users can use alternate streams to hide infected code and that no existing antivirus product can detect or disinfect viruses within an alternate stream. Two years passed, and no one took steps to resolve the situation. In August 2000, two Czech hackers, under the pseudonyms Benny and Ratter, created the W2K.Stream virus. This virus, which cleverly uses alternate streams to carry infected files, is a harsh reminder of the NTFS feature's vulnerability.
What Are Alternate Data Streams?
Microsoft introduced alternate data streams in the early 1990s so that NTFS could act as a file server for Macintosh clients. The Mac OS uses alternate streams called resource forks on the Mac's Hierarchical File System (HFS) to store application metadata such as icons.
In Windows 2000, alternate streams hold summary information that you can specify for a file in its Windows Explorer properties. Unlike the FAT file system, in which files can consist of only one data stream, NTFS lets you create multiple data streams—independent executable modules and various service modules that contain additional data such as file access rights, encryption, and date and time information. In fact, you can treat NTFS files as folders that contain other files. Figure 1 shows a simple representation of the default and alternate data streams.
When you open an NTFS file, the OS automatically executes only the main (i.e., default) stream. However, you can access data that resides in alternate streams by issuing a simple instruction:
<filename>:<stream name>
For example, if you want to open a stream called test.exe from the file calc.exe, you simply use the string
calc.exe:test.exe
You can invoke an alternate data stream from other files simply by placing the instruction into the program code. (For more information about alternate data streams, see Mark Russinovich, Internals, "Inside Win2K NTFS, Part 2," Winter 2000.)
Inherent Vulnerabilities
At first glance, alternate data streams might seem like a good idea, but let's consider them from a security standpoint. Alternate streams pose a serious threat because they can contain viruses and Trojan horses that are difficult for users and antivirus programs to detect.
In addition, Win2K by default automatically backs up NTFS files' main streams in protected folders (e.g., the Windows system folder) in case users mistakenly modify or delete those streams. However, the OS doesn't provide such a safeguard for alternate streams. Without hindrance or fear of discovery, any user can change, rename, or delete data in an alternate stream—even a stream in a file in the protected Windows system directory. Adding insult to injury, many popular antivirus products don't check alternate streams—they focus primarily on the main (default) stream. We're reminded of a lazy customs officer, who simply out of apathy doesn't bother to check suspicious multicompartmentalized baggage that might contain contraband.
The ultimate detector of hidden data in an alternate stream is an antivirus monitor that checks all files. These devices, which run in the background, monitor all major file operations (e.g., file openings and closings) and check each file for lurking viruses. Today, antivirus monitors fall into two main groups: monitors that check files with no regard to their name and extension and monitors that do pay attention to the names and extensions. The second type of monitor doesn't recognize the filename syntax of alternate streams (i.e., a colon in a stream launch string), considers such files corrupted, and ignores them.
Because monitors have proved to be a reliable antivirus tool, most desktop systems now have them preinstalled. However, many network administrators prefer to use on-demand antivirus scanners—instead of monitors—on server systems. Scanners have less effect than monitors on a system's operating speed and stability, and they require far fewer system resources. Therefore, scanners permit the use of even the most heavyweight antivirus tools, such as heuristic code analyzers, redundant scans, and utilities that search inside compressed and archived files. Activating such options on a monitor could slow the operating speed of standalone computers and networks to a crawl.
Some antivirus experts believe that antivirus products don't need to check alternate streams to catch a hidden virus. Because Win2K automatically executes the default stream when a user opens a file, virus writers plant a starter in the default stream that invokes malicious code residing in the alternate stream. The experts' theory is that an antivirus product with no alternate stream support will still detect the starter in the main stream.
This theory has three important weaknesses. First, an antivirus product with no support for alternate streams can't disinfect an alternate stream—it can only inform a user about the infection. Second, because a virus can give random names to streams, scanning a main stream for a virus starter is like searching for a needle in a haystack. The average antivirus scanner can't determine whether a particular starter accesses harmless data or invokes a malicious program from an alternate stream. Third, at least five methods exist for invoking programs from alternate streams without modifying the default stream. Malicious users can take advantage of these methods to prevent monitors and scanners from detecting a virus.
You might be thinking that if an intruder plants a virus inside an alternate stream, the virus will increase the host file's size—at which point, an alert user or integrity-checking software could detect the invader. Unfortunately, standard methods of file viewing report only on the default stream size. Thus, even if a file includes an alternate stream that carries a virus several megabytes in size, you can't see the change unless you have installed dedicated viewing software on the computer.
Integrity-checking technology has been very successful as add-on software for virus protection. An integrity checker's mode of operation is based on a collection of original prints (i.e., cyclical redundancy check—CRC—values) of files and system sectors. These prints reside in the integrity checker's database. At startup, the integrity checker compares information from its database against current prints and informs the user when changes have occurred. This technology, along with scanners and monitors, can increase the efficiency and reliability of any enterprise's security policy.
Through years of successful operation, integrity checkers have developed many effective methods to battle even the trickiest viruses, including stealth viruses that deceive most antivirus software by temporarily substituting clean files for infected files during virus checks. However, no known integrity checkers can detect changes in alternate data streams. The current research into high-end antivirus technologies still neglects a loophole that lets malicious users create invulnerable viruses by exploiting a simple, well-known NTFS feature.
Previous
Register
