Design and Development of Improved Stealth Alternate Data Streams

Abstract

With increase in usage of Internet, there is a greater need of protecting sensitive information. Various data hiding techniques are available for protecting data from unauthorized users. Alternate Data Streams is one of the possible ways for data hiding in New Technology File System of Windows. It was introduced to make Windows NTFS compatible with HFS file system of Macintosh. Alternate data streams is an important feature of New Technology File System but some consider it as a vulnerability which can be exploited for hiding malicious files like rootkits, virus, backdoors etc and for getting access of victim’s system. So Alternate data streams is both a feature and vulnerability of NTFS. This thesis explains what exactly alternate data streams are, what are its requirements and functionalities. A demonstration explaining how hackers can exploit Alternate data streams or ADS for getting access of a system is shown. Its main focus is on explaining Stealth ADS that provides the important functionalities like creation, detection, and deletion of ADS. All possible ways of hiding sensitive information and techniques for detecting and removing ADS are also explained. An approach for scanning the detected ADS in the system for the presence of malicious files is also explained. With time and advancement in antivirus technologies, ADS are now detected by various antivirus and thus with a aim to enhance its stealth and to bring it back into action, efforts has been made to bundle ADS technology with an external encoder which eventually improves its stealth to great extent. To prove this point, a comparative analysis indicating increase in stealth of alternate data stream by adding encoder has been performed. This comparison is done between existing metasploit encoders and Stealth ADS encoder. Also comparison of Stealth ADS with the existing software is done for proving the efficiency of Stealth Alternate Data Streams.