How easy to hide virus in NTFS

How do we identify malware hooked into a legitimate file?

When hooked – the file size changes, functionality might differ. However, NTFS provide a feauture ADR (Alternate Data Stream) where we can hook any executable binary (say trojan) into any executable binary file (legitimate file) without any change. Even the MD5 hash remains the same.

C:\type c:\windows\system32\notepad.exe > calc.exe:notepad.exe

C:\start calc.exe                             ————— starts normal calculator program

C:\start calc.exe:notepad.exe  ————— starts notepad.exe and surprizingly taskmanager show calc.exe in its processlist.

Unfortunately we cannot disable the ADS :(. and Md5 Hash is unchanged for both original and infected file.

 Freeware programs like lads.exe by Frank Heyne ( and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.


About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s