Alternate streams - Tripwire

Tripwire is reporting an alternate stream added to a few files on one of our 2003 Web Edition machines.
LADS, Streams, Adsscan and Crucialads show nothing.
I know these files have been touched by our people and see no other evidence of intrusion.
Tripwire says they use a proprietary algorithm to detect alternate streams, however they have no ability to determine what the alternate stream is.
Anyone have a clue on how to tease out what Tripwire is reporting on?
LVL 18
chicagoanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
are you talking about  Alternate Data Streams (ADS)  something like:
  boot.ini:file.txt
such streams are not visible with standard M$ tools, even you can create them with these
0
shahrialCommented:
Agreed with ahoffmann's last statement in his comment.

One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.

For instance:  the command

 “type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”

will fork the common windows calculator program with an ADS “anyfile.exe.”

Alarmingly, files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.

Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.

Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to.  Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.  

Ultimately only a third party file checksum application can effectively maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based “Intrusion Prevention Systems” or “Intrusion Detection Systems”, third party security applications like eTrust Access Control from Computer Associates have been used for years in high-end government networks to verify the integrity of files used in the most secure environments. In addition to a heightened level of auditing and access control, these applications typically create an MD5 hashed database of file checksums that are used to validate a file’s trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which the file is deemed untrusted and therefore prevented from executing or better yet, prevented from being changed in the first place.

Another good file integrity application is Tripwire for Servers by Tripwire Inc.  Tripwire has been singularly focused on file integrity management since the early 90’s and does a tremendous job of providing stringent security measures against unauthorized file changes.

Hope this helps...;-)
0
ahoffmannCommented:
shahrial, nice explanation ;-)
or in other words: ADS are files (yes they are real files!) not visible to any M$ tools, but fully functional
a sarcastic comment would say that someone (M$ itself?) implemented the perfect backdoor :-))
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

chicagoanAuthor Commented:
shahrial, you should quote your sources, or just supply the line

http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

The question is (and was) does anyone know a method other than LADS, Streams, Adsscan or Crucialads to determine what is in the supposed alternate data stream that Tripwire is reporting?
I can copy them out to a fat partition and back to remove the stream, but I'd like to fidure out how the streams hot there in the first place.
0
ahoffmannCommented:
> but I'd like to fidure out how the streams hot there in the first place
you need to check your firewall and/or IDS and/or IPS. Tripwire itself is a static tool (as you already know).
You need a permanent tool for that like winpatrol (just to mention one, if I look at your EE history you probably know much more about that than me;-)
0
shahrialCommented:
Yes, chicagoan (security master). Thank you for your enlightening last statement in your comment.
As for your opening statement...errr...sometimes it's nice to keep the info within EE, (imho only)...:o)
0
chicagoanAuthor Commented:
Nothing in IDS, ISAPI filters or the usual suspects. One analyst here is pretty sure he opened one file, I know I opened another (via RDP) , the other 3 were rolled recently via FTP. We're not tracking ACCESS. We're running TW 4.5 on 2003 WEB. I really think this is a Tripwire bug but it's frustrating that their tech support insists an AS is there without having the ability to determine what is there or to say for sure nothing's there.

I'll give this a couple of days and open a support ticket with micro$oft and report the findings back here.

 shahrial> I appreciate the effort. I'm not sure what you mean by "keep the info within EE"...
I've been slapped for failing to cite my sources, I just don't want you to fall into the same quagmire.



0
shahrialCommented:
chicagoan,
"keep the info within EE" = if the link no longer exist, it will still exist within these column.
> I've been slapped for failing to cite my sources, I just don't want you to fall into the same quagmire.
Thanks for the thought. I'm having a 'swollen eye' right now...lol.

Have you checked out this link?
The Dark Side of NTFS (Microsoft’s Scarlet Letter)
http://patriot.net/~carvdawg/docs/dark_side.html

Good luck...;-)
0
ahoffmannCommented:
chicagoan,
lads.exe seems to be a tool for you ...
otherwise I'd simply plug the disk in question to a linux system and check with linux, there're no more secrets then ;-)
0
chicagoanAuthor Commented:
1st post: "LADS, Streams, Adsscan and Crucialads show nothing"
I'm not sure how mounting the file system from *nix is going to help here, are you aware of a *nix utility for viewing NTFS ADS?
0
ahoffmannCommented:
dooh, should read *always* *all* texts carefully, sorry.
As I understand ADS, they are just file on the filesystem (probably just inodes, sorry don't know the internals of NTFS), if so mounted with linux's NTFS driver should show them.
But 'cause lads didn't report them anyway, this step seems to be obvious too.
Sounds like you need support from Tripwire ...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
firewallblockedCommented:
New to ADS I have come accross lads but not the others. I use NTFS Streams Info to check for alternative data streams.

http://www.isgeo.kiev.ua/shareware/products.html


As I have lots to still learn about ADS I would love to know how you think this compares to the other programs out there. It can scan and remove ADS from files but I presume the other programs listed do this and more. :)
0
shahrialCommented:
chicagoan,
Have a look at the new Lavasoft Ad-aware se Professional 1.05. It also have configurable options to scan for ADS...;-)
0
chicagoanAuthor Commented:
Still haven't teased these out but think Tripwire is throwing a false positive.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.