As many of you know I started fighting rootkits and the like a while back by removing drives and scanning them as slave drives to cripple the rootkit . I know that ADS are now often accompanying rootkits .

What would be the best NON-antimalware methods for destroying ADS ? I heard renaming the system32 folder and naming it back could destroy one of them . From what I have read it sounds like ADS are kind of like a file that has been deleted . It is still there but NTFS isn't keeping track of it so it can be overwritten . Would cut and paste also copy the ADS or would (because it is not being kept track of) just be ignored ? What about defrag ?

Here is an article on ADS that you will find very useful:
http://www.bleepingcomputer.com/tutorials/tutorial25.html

you might want to run this see what it finds
ADSSPY Download Link

So I take it ADS is a mechanism that can create rootkit-like files? I tried creating a few files as per Lawrence's tutorial but get "The filename, directory name, or volume label syntax is incorrect." Can I assume that ADS is not activated on my system?

It worked fine with me.
You probably misstyped something.
Is your root drive formatted with NTFS file system?

Ah! Not the root but I tried it on an NTFS-formatted volume and indeed ADS is active. Does this mean it's best *not* to format NTFS volumes?

if you disable ads than you won,t be able to see mac computers. possibly Linux as well. since most servers are Linux unix based this may or may not be a problem, as packets are sent and received . but it would mean computers on a lan may or may not be able to see shared doc folders etc.

but it would be nice if some security app could disable this.

there may be a reason other than whats publicly release about ads and what they do that we are not being told.

Hi

Well, the challenge must be that also MS using ADS within XP SP2...

One example
https://www.kb.cert.org/vuls/id/743974

"Windows XP SP2 normally stores the zone information about downloaded files in an NTFS Alternate Data Stream. This is known as a Persistent Zone Identifier. "

http://msdn.microsoft.com/workshop/security/szone/reference/objects/PersistentZoneIdentifier.asp

Also another example with Kaskersky labs suite...
http://www.viruslist.com/en/weblog?discuss=177727537

How good is Merinjs ADS stream tool ? ADS Spy

http://www.merijn.org/downloads.html

regards
plunx

I used ADS Spy to remove ADS which were left from an incomplete CWS infection removal. Kaspersky AV identfified a few of the files, and that was the first indication of their presence. When I used Merjin's ADS Spy, it identified many additional ADS infected files and removed all of them. So I would give it a thumbs up.

In the case of a rootkit driver hidden in the ADS of the system32 folder such as PE386, the driver must be unloaded first before attempting ADS removal of the driver file.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

thx negster!!!

Hi

Thanks wawadave and negster !

I nearly understands this challenge now.....

I also noted this within Kaspersky Labs discussion:

http://www.techpathways.com/

http://www.guidancesoftware.com/

After reading about this I cannot really understand the meaning of alternate data streams............ the reason to be compatible with Macintosh seems to be a little strange. IMHO



regards
plunx

i think software companies and ms add data to them to id files. if you d/l with ie i,ll bet the time date and ip of where is hidden useing this. i,ll bet many windows files have many things hidden by these and i know windows its self has many rootkit like functions. but beyound my skills to prove or disprove.

are there any apps that let you read the ads info?