RE: How to hide a file ?

["John Stauffacher" <stauffacher () chapman edu>]

Grep'd from: http://www.heysoft.de/nt/ntfs-ads.htm

"cat visible.txt:hidden.exe > hack.exe. This will create a file hack.exe
from the hidden stream hidden.exe in the file visible.txt. 

(Cat is a tool from the Ressource Kit.)"

also check out: LADS: http://www.heysoft.de/nt/lads.zip

Grep'd from http://www.cknow.com/vtutor/vtntfsads.htm

" An alternate stream file can't be executed directly because of the
colon in the name (which is only used for drive letters at the command
prompt), but the files can be exploited by viruses that make their way
into files saved as part of the normal stream. In one such exploit the
virus (Streams) creates a copy of itself as a temporary EXE file and
then copies the original EXE file as an ADS file attached to the
temporary EXE file. The temporary EXE file is then renamed to the
original EXE name. Now, when the user tries to run the original file
they actually run the virus which does its thing and then sends the
original program file to the operating system which then runs the
program. The only thing you might see is a slight delay in program
start."


++
John Stauffacher
Network Administrator
Chapman University
stauffacher () chapman edu
714-628-7249

-----Original Message-----
From: Matthew LaGrange [mailto:lagra100 () chapman edu] 
Sent: Tuesday, January 08, 2002 11:41 AM
To: vuln-dev () security-focus com
Subject: RE: How to hide a file ?

I was reading that there are 5 ways to running an exe with ADS in NTFS 5
how is that done with other than start ?
-Matthew

-----Original Message-----
From: Altheide, Cory [mailto:CAltheide () broadband att com] 
Sent: Tuesday, January 08, 2002 10:25 AM
To: vuln-dev () security-focus com
Subject: RE: How to hide a file ?

It's not an incredibly crucial issue, no, but if you create an ADS on,
say,
explorer.exe, it alters the modified date.  When doing a cursory
examiniation of the last modified files, explorer.exe would look fairly
suspicious.

Pagefile.sys, however, would not. ;)

Cory Altheide
Internet Security Coordinator
AT&T Broadband Legal Demands Center
 

> -----Original Message-----
> From: H C [mailto:keydet89 () yahoo com]
> Sent: Tuesday, January 08, 2002 11:22 AM
> To: Altheide, Cory; vuln-dev () security-focus com
> Subject: RE: How to hide a file ?
>
>
> Cory,
>
> > Just a quick note on hiding using data streams...
> >
> > While the streams themselves are transparent,
> > creating an alternate data
> > stream does alter the modified date of the "parent"
> > file.
>
> You're correct, but I'm not sure where thats really
> even an issue.  
>
> 'touch' utilities are trivial.  In fact, I recently
> put a Perl script up on my site that shows
> programmatically how to do this via the Win32 API. 
> Nothing new, of course, other than the fact that the
> script allows the user to change the creation date, as
> well as the last access and write times.
>
> However, I started a separate thread on this issue on
> the Forensics list, so I won't belabour it here...
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/