Two Data-Hiding Techniques

Hiding files on the NTFS level and the share level

Jan De Clercq

July 16, 2006

9 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows OSs support two little-known data-hiding features: NTFS data streams (also known as alternate data streams) and share-level Access-based Enumeration (ABE). Alternate data streams provide a way to attach hidden information, such as file summary data, to a file. You probably won't make use of alternate data streams yourself, but malicious users can take advantage of this technology to your disadvantage, so you need to be aware of what it is and how it can be used against you.

ABE is something you can use to your benefit: It lets you suppress the visibility of folders and files in a share from users who don't have permissions to access them. Here's what you need to know about these features.

Tributaries of the Data Sea
Alternate data streams are a feature of the NTFS file system. They were originally added to Windows NT 3.1 to let NT and Macintosh users exchange files.

An NTFS file is composed of data streams: a $DATA default data stream that consists of the file's contents, and possibly one or more alternate data streams. Anyone with the necessary permissions to the file can see that the $DATA data stream exists and can open it, read it, and write to it.

An alternate data stream is additional information or files that a user or application can attach to an NTFS file. Only the user who created the alternate data stream will be aware of its existence. In general, users won't know if an alternate data stream is attached to a file because the stream's content and name aren't visible and you won't see a change in the file size.

Alternate data streams are used in many ways. Windows uses alternate data streams to store summary data for non-Microsoft Office documents such as simple text (.txt) files. You can enter file summary data, such as title, subject, and author information, on the Summary tab of a file's Properties dialog box. The summary data is stored in an alternate data stream named SummaryInformation.

Windows applications such as Encrypting File System (EFS) and Windows Explorer leverage alternate data streams to attach file-specific data to files stored on NTFS-formatted drives. EFS uses alternate data streams to attach encryption and recovery data to encrypted files, enabling EFS to provide decentralized file encryption and recovery services.

Microsoft Internet Explorer (IE) in Windows XP Service Pack 2 (SP2) uses an alternate data stream named Security.Zone to safeguard the security zone classification of files that are stored on an NTFS volume. As a result, IE can block elevation-of-privilege attacks that could occur when a user downloads a piece of malicious code from an untrusted Internet security zone and saves the code to the local hard disk. IE classifies locally saved content in the Local Machine security zone, which has more privileges than the Internet security zone. XP SP2 always checks the Security.Zone information before allowing downloaded code to do anything on the local system.

Malware Vehicle
What makes alternate data streams interesting and dangerous is that their names and content don't appear in Windows Explorer. Thus, alternate data streams are a very attractive way for attackers to hide information or malicious code on a system. The VBS.Potok@mm worm is an example: Hackers leveraged an alternate data stream to attach several Visual Basic (VB) scripts to the existing ODBC.ini file. When the worm executed, it created an account with administrative privileges and sent itself to the addresses it found in the Microsoft Outlook Address Book.

Another dangerous characteristic is that the space allocated to alternate data streams doesn't show up in Windows Explorer's size and free-space data. A hacker could use alternate data streams to fill up a file server's disk space, and the administrator would be clueless as to the cause of the problem. Also, the Dir command-line utility doesn't take alternate data streams into account during its size calculations. As I write, the only Microsoft tool that does consider alternate data streams in its size calculations is Chkdsk.

Adding a New Stream
Anyone who has write permission to an NTFS file can use common OS commands to attach an alternate data stream to the file. For example, the following command creates an alternate data stream called mystream, attaches mystream to a file named file.txt, and stores the phrase "top secret" in my-stream.

echo top secret > file.txt:mystream 

You can view mystream's content by entering the command

more < file.txt:mystream 

As I previously mentioned, you can add executable files to alternate data streams. For example, you can add a hidden copy of the Windows calculator (calc.exe) to a file called file.txt simply by typing the command

type calc.exe > file.txt:calc.exe 

To execute the hidden calculator, enter the command

start .file.txt:calc.exe 

Now, to see for yourself that alternate data streams and their content aren't accounted for in Microsoft tools, check the properties of file.txt in Windows Explorer. Instead of seeing a file size of 112KB—the size of the embedded calc.exe file—you'll see a file size of 0KB because there's no data in the $DATA file stream and Windows Explorer can't detect the data in the alternate data stream.

Clearly, alternate data streams have quite a few associated risks, especially if your NTFS resources aren't properly permissioned and access to your Windows servers isn't tightly controlled. A simple protection mechanism that you can use to prevent malicious attackers from leveraging alternate data streams is the NTFS access control system. If attackers don't have the permission to write to a file, they can't create alternate data streams and attach them to that file.

Fishing for Changes
If you suspect that an intruder has managed to bypass the permissions you set, tools are available to detect alternate data stream content. System-integrity?checking software, such as Tripwire Enterprise and Tripwire for Servers, can detect all NTFS file system changes that have occurred on a Windows system, including the addition of or changes to data stream content.

Sysinternal's Streams is a freeware command-line utility that detects the names of a file's alternate data streams. Figure 1 shows you how to use the Streams utility to view the name of the calc.exe data stream that we added earlier to the file.txt file. You can download this utility at http://www.sysinternals.com/utilities/streams.html.

Another easy way to detect an alternate data stream is to use Windows Explorer to copy the suspect file to a non-NTFS drive (e.g., a FAT drive). Other file systems don't support alternate data streams, so NTFS will generate a warning similar to the one in Figure 2, when you attempt to copy an NTFS file with attached alternate data streams to a non-NTFS file system. Be aware that if you use the command-line Copy command to copy the file, Windows copies the file to the non-NTFS file system and removes the data stream without displaying a warning.

Hiding Shares with ABE
ABE is an add-on file-share-level function that Microsoft introduced in Windows Server 2003 SP1. You can use ABE on any Windows file share, regardless of which file system stores the share data. ABE lets administrators hide folders and files in a share from users who don't have the appropriate NTFS-level permissions to access them, thus providing a folder-level security measure.

Without ABE, users who connect to a shared folder see all files and fold-ers in the share, even those that they don't have any read access permissions for or that they're denied access to. When a user tries to open a file or folder for which he or she doesn't have access permissions, the system displays an access-denied error. These errors can confuse users, so enabling ABE can reduce your Help desk call load.

ABE does come at a cost. Before returning the list of objects in a folder to the client that's connecting to the share, the server has to evaluate every ACL of the objects before it can determine what to return. Especially for shares containing many objects, this can have a noticeable performance impact.

One good way to use ABE is for setting up users' home directory shares. Instead of creating a hidden share for each user's home directory, you can create one share containing all users' home directories in the root home directory folder, let users connect to this root directory, and control the visibility of all users' home directories by using ABE and NTFS permissions.

Enabling ABE
ABE uses a new share-level flag called SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS, which as I write this article is supported only in Windows 2003 SP1 and Release 2 (R2). This flag indicates that you're using the ABE feature for a folder.

To set the flag, you can use the Windows Explorer folder properties extensions or the abecmd.exe command-line tool. Microsoft provides the ABE Explorer extension and abecmd.exe in the ABE installation package, which is an add-on for Windows Server 2003 SP1 platforms. You can download the installation package from the Microsoft site at http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084. Because ABE is a server-side extension, you can use ABE regardless of which Windows OS the client is running.

After installing the ABE feature on your server, you can set the flag for a folder by right-clicking the folder, selecting Properties, clicking the Access-based Enumeration tab, and selecting the Enable access-based enumeration on this shared folder check box, as Figure 3 shows. To turn ABE on for all shares on that system, select the Apply this folder's setting to all existing shared folders on this computer check box.

Alternatively, you can use the abecmd.exe command-line tool to enter the following command to turn on ABE for a share named shareddocs

abecmd /enable shareddocs 

You can use the /all parameter to enable ABE on all shared resources and the /disable parameter to disable ABE.

Controlling Access
ABE is a simple tool that lets you limit users to accessing only those files they need to do their job. Users can more easily find the files they need because they don't have to wade through folders that have no relevance for them, and they won't be calling the Help desk in confusion when they try to open files to which they don't have permission.

To protect against hackers misusing alternate data streams, administrators must manage the access control settings of shared resources and use one of the utilities I discussed to detect hidden alternate data streams and any NTFS changes.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like