Windows: Hiding Data the Fun Way
Lately I’ve been checking out some way’s for hiding data on a Windows system. Of course you have the default Windows “Hide” function, but this is no fun and there is an easy and build-in solution for finding files that use this method. In this article I’ll focus on other way’s to hide data on the windows file system.
Before we start: the goal of this article is not to reveal any new methods for hiding data. The goal is to make you aware of the fact that hiding data on an operating system is very easy. Most people are not aware of these file system “features” and are unable to notice abuse. Detecting suspicious behavior is one of the most important skills a system admin has to have. The goals of this article is to make you aware of the things that attackers use and what you have to look for during your analysis.
There are two methods that are quite out-dated but still do there job on most Windows systems. All described methods have been tested on Windows 7 but are even more effective on Windows XP (and lower) because these Operating Systems allow much more. You’ll read more about this issue in method 2 (fork file system)
- Hiding text in “plain” sight In Windows when opening an image the operating system will read the file until it has all the data it needs (header, data and the end data signal), if all that has been found the file will be shown. This means you are able to add data to the end of an image file. Windows will still show the image (because its not corrupted) and will “ignore” all added data. This allows you to include text (pre-compiled code, commands or other data) via an image to any image file without creating suspicion. I’m almost sure that IDS systems will pick this up, but the average user won’t have a clue (unless he/she is really looking for it of course….) There are two way’s of doing this:
- Simply open the image-file with an text editor and add your text at the end of the file.
- Open a command-prompt and use the following command to add data to a file: “type [source-file].ext >> [destination-file].jpg” – I like this way better :P (Me loves the console)
*This method is very useful if the source-file is a zip file. The image will still show and opening it (7zip is great for this) will give you access to all your files.
2 Alternate data stream aka Fork (file system) The NTFS file system allows you to use alternate data streams. This means that you have multiple data streams available per file. This allows you to attach multiple files to one file. This is very useful if you are using files (e.g. images or DLL’s) in an executable and you want to ship your software as one executable (Default in the Mac OS X operating system). The way of doing this is via the following commands: notepad visible.txt notepad visible.txt:secret.txt Executing a ‘dir’ command now wont show you visible.txt:secret (Windows Vista and 7 support ‘dir /R’ to make alternated data streams visible) but the data is definitely there. This is a great way of “hiding” data in files. In Windows XP (and older) it is even allowed to do this with Executables. You are even allowed to run these files from the alternate data stream. They way of hiding an executable in a text file under Windows XP can be done via the following commands: 1. type yourexe.exe > textfile.txt:hidden.exe #writing the exe to the ADS in textfile.txt 2. start .textfile.txt:hidden.exe #running the ADS exe
As you probably can imagine, (especially this last one) this is incredibly useful for malware writers. It allows you to move and execute files without people noticing them.
Both methods are very outdated but are still actively used. Finding them is for most people a bit of a challenge. Luckily there are some tools that can help you rather quickly. From Windows Vista, Microsoft added a new function to the ‘dir’ command. ‘/r’ will show you all the alternated data streams of a file, allowing you to find ADS really easily. Also Sysinternals has a tool that allows you to view ADS. The name of this tool is Stream (http://technet.microsoft.com/en-us/sysinternals/bb897440) Also detecting images that are very large (> 5mb; of course this also relies on the size of the image) can be helpful. Moving stuff this way is very efficient. Although these two methods only allow you to transfer some data it won’t be very useful if your target is running Windows Vista or higher. But unfortunately Windows XP still allows this, and because this is still worldwide the most common OS, ADS are still a threat and widely (ab)used by malware.