Cloaking and alternate data streams

- [Instructor] Attackers who penetrate systems with malware go out of their way to hide it once it's on the target system. If the infection can evade detection, it's more likely to accomplish its intended goals. Let's have a look at some of the ways in which malware can hide. The first method is to use the techniques used by the Windows operating system to hide its own activities. An example of this is the hidden history folder. I'm in a command shell and I'll go into a folder in my user applications directory by typing cd appdata \local \microsoft\windows. When I list the contents of the directory, there's a number of files and folders, but there's no history sub-directory. I can list hidden files with dir /ah, but there's still no history sub-directory. However, things are not always as they seem. The history sub-directory does exist, but we just can't see it. Let's try to change directories and go into it. cd history. Well that worked. So now let's see what's here. And we see the file desktop.ini. This is the method Microsoft uses to hide the sub-directory. When I take a look at what's in it, by typing desktop.ini I see it has two cloaking entries. The first is a CLSID line, which stops the sub-directory from being included in file-based finds. And the second, the UICLSID line, which stops the sub-directory from being seen using Windows Explorer. Another little known way of hiding on disk is to use what's known as alternate data streams. In the early MS-DOS and FAT file systems, files were simply strings of data which could be read byte by byte by applications. In NTFS, a file is a complex structure. NTF files contain as a minimum a section called $DATA, which is where the data read by an application resides. This is the data stream. However, a file may have many other sections, each with its own name, and each of which can hold information. These are called alternate data streams. Importantly, windows only recognizes the $DATA section so data in any alternate data streams isn't generally recognized. Okay, back at the terminal, let's go into the temporary folder and create a new file called datafile.txt by typing, type con, the console, to datafile.txt. Here's a text file which has nothing much to hide. It's simply a string of words that is saved to disk. Okay, that's created the file, let's check it. Type datafile.txt, and we can see the contents as we entered them. We can also check its size. Dir datafile.txt is 105 bytes long. I'll create another file called adsfile.txt. Type con: to adsfile.txt. This is my secret message which I want to store where no one can find it. Now I'll insert that into a hidden data stream in datafile.txt by typing, type adsfile.txt to datafile.txt, colon, hidden.txt. Let's see what datafile.txt looks like now. type datafile.txt and dir. So there's no apparent change. However, if I now type more from datafile.txt colon hidden.txt we see the hidden text. Alternate data streams can also be used to hide executable files. As an example, I'll insert the Windows calculator into this text file. type \windows \system32 \calc.exe to datafile.txt and we'll call it mycalc.exe type datafile.txt And dir, and again, we see no change. We can use a special form of the Windows instrumentation tool, wmic, to run this hidden executable. wmic process call create '"C:\temp \datafile.txt: mycalc.exe" Then we have the calculator executed. While alternate data streams can't be seen in Explorer or by using the dir command normally, it is possible to use the /r command line option on the dir command to see them. dir datafile.txt /r Now we can see that this file does have two additional streams. hidden.txt and mycalc.exe.