Alternate streams - Tripwire
Tripwire is reporting an alternate stream added to a few files on one of our 2003 Web Edition machines.
LADS, Streams, Adsscan and Crucialads show nothing.
I know these files have been touched by our people and see no other evidence of intrusion.
Tripwire says they use a proprietary algorithm to detect alternate streams, however they have no ability to determine what the alternate stream is.
Anyone have a clue on how to tease out what Tripwire is reporting on?
LADS, Streams, Adsscan and Crucialads show nothing.
I know these files have been touched by our people and see no other evidence of intrusion.
Tripwire says they use a proprietary algorithm to detect alternate streams, however they have no ability to determine what the alternate stream is.
Anyone have a clue on how to tease out what Tripwire is reporting on?
Agreed with ahoffmann's last statement in his comment.
One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.
Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.
For instance: the command
“type c:\anyfile.exe > c:\winnt\system32\calc.exe
will fork the common windows calculator program with an ADS “anyfile.exe.”
Alarmingly, files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to. Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.
Ultimately only a third party file checksum application can effectively maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based “Intrusion Prevention Systems” or “Intrusion Detection Systems”, third party security applications like eTrust Access Control from Computer Associates have been used for years in high-end government networks to verify the integrity of files used in the most secure environments. In addition to a heightened level of auditing and access control, these applications typically create an MD5 hashed database of file checksums that are used to validate a file’s trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which the file is deemed untrusted and therefore prevented from executing or better yet, prevented from being changed in the first place.
Another good file integrity application is Tripwire for Servers by Tripwire Inc. Tripwire has been singularly focused on file integrity management since the early 90’s and does a tremendous job of providing stringent security measures against unauthorized file changes.
Hope this helps...;-)
One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.
Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part of the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.
For instance: the command
“type c:\anyfile.exe > c:\winnt\system32\calc.exe
will fork the common windows calculator program with an ADS “anyfile.exe.”
Alarmingly, files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to. Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.
Ultimately only a third party file checksum application can effectively maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based “Intrusion Prevention Systems” or “Intrusion Detection Systems”, third party security applications like eTrust Access Control from Computer Associates have been used for years in high-end government networks to verify the integrity of files used in the most secure environments. In addition to a heightened level of auditing and access control, these applications typically create an MD5 hashed database of file checksums that are used to validate a file’s trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which the file is deemed untrusted and therefore prevented from executing or better yet, prevented from being changed in the first place.
Another good file integrity application is Tripwire for Servers by Tripwire Inc. Tripwire has been singularly focused on file integrity management since the early 90’s and does a tremendous job of providing stringent security measures against unauthorized file changes.
Hope this helps...;-)
shahrial, nice explanation ;-)
or in other words: ADS are files (yes they are real files!) not visible to any M$ tools, but fully functional
a sarcastic comment would say that someone (M$ itself?) implemented the perfect backdoor :-))
or in other words: ADS are files (yes they are real files!) not visible to any M$ tools, but fully functional
a sarcastic comment would say that someone (M$ itself?) implemented the perfect backdoor :-))
ASKER
shahrial, you should quote your sources, or just supply the line
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
The question is (and was) does anyone know a method other than LADS, Streams, Adsscan or Crucialads to determine what is in the supposed alternate data stream that Tripwire is reporting?
I can copy them out to a fat partition and back to remove the stream, but I'd like to fidure out how the streams hot there in the first place.
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
The question is (and was) does anyone know a method other than LADS, Streams, Adsscan or Crucialads to determine what is in the supposed alternate data stream that Tripwire is reporting?
I can copy them out to a fat partition and back to remove the stream, but I'd like to fidure out how the streams hot there in the first place.
> but I'd like to fidure out how the streams hot there in the first place
you need to check your firewall and/or IDS and/or IPS. Tripwire itself is a static tool (as you already know).
You need a permanent tool for that like winpatrol (just to mention one, if I look at your EE history you probably know much more about that than me;-)
you need to check your firewall and/or IDS and/or IPS. Tripwire itself is a static tool (as you already know).
You need a permanent tool for that like winpatrol (just to mention one, if I look at your EE history you probably know much more about that than me;-)
Yes, chicagoan (security master). Thank you for your enlightening last statement in your comment.
As for your opening statement...errr...sometim
As for your opening statement...errr...sometim
ASKER
Nothing in IDS, ISAPI filters or the usual suspects. One analyst here is pretty sure he opened one file, I know I opened another (via RDP) , the other 3 were rolled recently via FTP. We're not tracking ACCESS. We're running TW 4.5 on 2003 WEB. I really think this is a Tripwire bug but it's frustrating that their tech support insists an AS is there without having the ability to determine what is there or to say for sure nothing's there.
I'll give this a couple of days and open a support ticket with micro$oft and report the findings back here.
shahrial> I appreciate the effort. I'm not sure what you mean by "keep the info within EE"...
I've been slapped for failing to cite my sources, I just don't want you to fall into the same quagmire.
I'll give this a couple of days and open a support ticket with micro$oft and report the findings back here.
shahrial> I appreciate the effort. I'm not sure what you mean by "keep the info within EE"...
I've been slapped for failing to cite my sources, I just don't want you to fall into the same quagmire.
chicagoan,
"keep the info within EE" = if the link no longer exist, it will still exist within these column.
> I've been slapped for failing to cite my sources, I just don't want you to fall into the same quagmire.
Thanks for the thought. I'm having a 'swollen eye' right now...lol.
Have you checked out this link?
The Dark Side of NTFS (Microsoft’s Scarlet Letter)
http://patriot.net/~carvdawg/docs/dark_side.html
Good luck...;-)
"keep the info within EE" = if the link no longer exist, it will still exist within these column.
> I've been slapped for failing to cite my sources, I just don't want you to fall into the same quagmire.
Thanks for the thought. I'm having a 'swollen eye' right now...lol.
Have you checked out this link?
The Dark Side of NTFS (Microsoft’s Scarlet Letter)
http://patriot.net/~carvdawg/docs/dark_side.html
Good luck...;-)
chicagoan,
lads.exe seems to be a tool for you ...
otherwise I'd simply plug the disk in question to a linux system and check with linux, there're no more secrets then ;-)
lads.exe seems to be a tool for you ...
otherwise I'd simply plug the disk in question to a linux system and check with linux, there're no more secrets then ;-)
ASKER
1st post: "LADS, Streams, Adsscan and Crucialads show nothing"
I'm not sure how mounting the file system from *nix is going to help here, are you aware of a *nix utility for viewing NTFS ADS?
I'm not sure how mounting the file system from *nix is going to help here, are you aware of a *nix utility for viewing NTFS ADS?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
New to ADS I have come accross lads but not the others. I use NTFS Streams Info to check for alternative data streams.
http://www.isgeo.kiev.ua/shareware/products.html
As I have lots to still learn about ADS I would love to know how you think this compares to the other programs out there. It can scan and remove ADS from files but I presume the other programs listed do this and more. :)
http://www.isgeo.kiev.ua/shareware/products.html
As I have lots to still learn about ADS I would love to know how you think this compares to the other programs out there. It can scan and remove ADS from files but I presume the other programs listed do this and more. :)
chicagoan,
Have a look at the new Lavasoft Ad-aware se Professional 1.05. It also have configurable options to scan for ADS...;-)
Have a look at the new Lavasoft Ad-aware se Professional 1.05. It also have configurable options to scan for ADS...;-)
ASKER
Still haven't teased these out but think Tripwire is throwing a false positive.
boot.ini:file.txt
such streams are not visible with standard M$ tools, even you can create them with these