From: /m 


http://www.f-secure.com/weblog/archives/archive-062006.html#00000907

===
Hiding the Unseen       Posted by Antti {at} 17:33 GMT

Many of our readers have probably heard of Alternate Data Streams (ADS) on
NTFS. They're not that well documented and there are only a few tools that
can actually handle them. Lately we've been looking at variants of the
Mailbot family that use hidden streams to hide themselves.

Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single
component lying on the disk, and that is a kernel-mode driver. It's stored
as hidden data stream attached to the system32 folder (yes, folders can
have data streams as well)! Saving your data into Alternate Data Streams is
usually enough to hide from many tools. However, in this case, the stream
is further hidden using rootkit techniques, which makes detection and
removal quite challenging. Because Mailbot.AZ is hiding something that's
not readily visible, it's very likely that many security products will have
a tough time dealing with this one...
===

 /m


On Fri, 14 Jul 2006 13:15:55 -0400, "John Beamish"
 wrote:

>The more technically-minded probably already knew about this.  We mere
>mortal, otoh, are not so knowledgeable!
>
>
>Start here:
>http://www.heysoft.de/nt/ntfs-ads.htm
>
>What is an alternate data stream (ADS)?
>
>In NTFS, a file consits of different data streams. One stream holds the
>security information (access rights and such things), another one holds
>the "real data" you expect to be in a file. There may be another stream
>with link information instead of the real data stream, if the file
>actually is a link. And there may be alternate data streams, holding data
>the same way the standard data stream does.
>
>
>
>Continue here: (thanks, Geo, for the link)
>http://www.sysinternals.com/Utilities/Streams.html

--- BBBS/NT v4.01 Flag-5