In association with heise online

02 July 2006, 19:45

Daniel Bachfeld

Dangers from the Twilight Zone

Alternate Data Streams can still be hiding places for malware

Microsoft's NTFS file system supports Alternate Data Streams to store additional information about a file. Malware can lurk in such streams. Nonetheless, a year and a half after the first ADS test of 18 virus scanners still not all of them reliably detect malware in ADS.

In October of 2004, heise Security Germany conducted a test to see which virus scanners detect contaminants in Alternate Data Streams (ADS) [1]. Since Windows NT 3.51, the NT file system (NTFS) developed by Microsoft has supported ADS. The operating system does so to store additional information about a file, such as the ZoneIDs introduced with Service Pack 2 that mark files as coming from the Internet. Windows applications have also, for example, long used such streams to save thumbnails for previews.

And yet, such streams cannot be displayed either with the DOS command dir or with Windows Explorer. All you can see is the file; the stream is basically invisible. Even if a user or an application writes several megabytes into the stream, the size of the file remains unchanged. An ADS can even be connected to a directory. In other words, streams are an excellent way of hiding data, which viruses and trojan horses already exploit.

In the 2004 test of 18 products five failed both in the on-demand scan and in on-access recognition. Only five of the virus monitors provided reliable protection from malicous code written into the stream and detected it both on demand and on access. A year and a half later, more and more contaminants are hiding in streams, such as the current worm Mailbot. In particular, Windows rootkits are becoming increasingly common, which makes it more and more important to find and eliminate dangerous data in ADS. Time for us to update our overview.

Second stage

We did this test in cooperation with AV-Test and checked recent versions of the 18 scanners tested last time for their abilitity to detect malware in ADS. While we found that more products now detect viruses in streams, there is still one complete failure: F-Prot still does not look at streams at all. Nine products detect viruses in ADS both on demand and on access, one of which is Symantec, whose scanner failed completely in the ADS test in 2004. Trend Micro has also improved. Though its scanner was able to scan ADS on demand in earlier versions in principle, this option had to be activated first via a registry key. In the current version 2006, the scanner at least searches streams for malware on access without being prompted.

BitDefender also searches for viruses in ADS on access, but the scanner does not find anything on demand. The virus utilities of Ikarus do it the other way round: The product detects malware in ADS on demand, but not on access. We were a bit surprised this time by Norman Virus Control, which offered complete protection in 2004 but now only monitors your computer on access. The vendor had not responded to our query on this matter by the time we went online. Also see the table at the end of the article for the complete results.


Most vendors have done their homework and now provide protection against viruses in ADS, though sometimes only on access. At present, Antivir 7, AntiVirenKit 2006, Anti-Virus 2006, Dr.Web, EZ Antivirus, Kaspersky AV Personal, McAfee Viruscan, NOD32 and Norton Antivirus 2006 have mastered both disciplines. The virus utilities of Ikarus and F-Prot cannot, however, be recommended because neither provide protection from ADS malware in real-time. According to the vendor, the upcoming version 4.0 of F-Prot will have remedied this drawback. (dab)

Links & Tools

[1] Gefahr aus der Schattenwelt, original review article on heise Security, Germany

[2] How To Use NTFS Alternate Data Streams

[3] Indexing Service Adds Data Streams to Image Files

[4] LADS - List Alternate Data Streams

[5] Sysinternals Streams

[6] Virus

[7] The Dark Side of NTFS

[8] FAQ: Alternate Data Streams in NTFS

[9] ADS Locator

ADS-Function in AV-Scanners

Product Vendor Version On-Demand On-Access
Avira Antivir Avira 7
AntiVirenKit GDATA 2006
Anti-Virus 2006 F-Secure 6.10
AVG Antivirus (deutsch) Grisoft Pro Edition 7.1
BitDefender Softwin 9
Command AV Command Software 4.93.7
Dr.Web Doctor Web 4.33
EZ Antivirus Computer Associates 7
F-Prot (Windows) Frisk 3.16f
Kaspersky AV Personal Kaspersky5.5
McAfee Virusscan McAfee 2006
Norman Virus Control Norman 5.81
Norton Antivirus Symantec 2006
Panda Platinum Internet Security Panda 2006
PC-cillin Internet Security Trend Micro14
Sophos Anti-Virus (Sweep) Sophos 3.05
Virus Utilities Ikarus Software 5.16
Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit