Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Contact
Hack Forums Blog [MRT-X] Alternate Data Streams

HF Rulez the UniverseHF Rulez the Universe
Tha Sneak
𝓜𝓡𝓣-𝓧 𝓞𝔀𝓷𝓮𝓻/𝓣𝓮𝓪𝓬𝓱𝓮𝓻
MRT-X Malware Malware Removal Malware Removal Team Windows Alternate Data Streams ADS

[MRT-X] Alternate Data Streams

Posted Mar 21, 2025 09:39 AM
[Image: Ao15uxN.gif]

Windows Alternate Data Streams (ADS)


[Image: h9AAT39.gif]

🔹 Introduction

Alternate Data Streams (ADS) are hidden files attached to visible files such as documents, executables, and system files.
This guide will help you understand:
✔ What Alternate Data Streams are
✔ How legitimate and malicious programs use them
✔ How to detect and remove malicious ADS entries

[Image: h9AAT39.gif]

🔹 History of Alternate Data Streams

ADS have existed since the introduction of NTFS (New Technology File System) in Windows NT.
They were originally designed to provide compatibility with HFS (Hierarchical File System), an older Macintosh file system.

📌 Legitimate Uses of ADS:
Windows & software applications store metadata (e.g., file attributes, security settings).
Text files store summary properties (found in the file’s "Properties" → "Details" tab).
Antivirus & security software may use ADS to track scanned files.

[Image: h9AAT39.gif]

🔹 How Are ADS Used by Legitimate Programs?

Many applications store important file attributes in ADS.
For example, when creating a text document and checking its properties:
➡️ The "Summary" information is stored inside an ADS rather than in the file itself.

📌 Creating an ADS File in Command Prompt:
The following command hides an executable (file.exe) inside calc.exe using ADS:

Code
c:\file.exe > C:\WINDOWS\system32\calc.exe:file.exe

This does not alter "calc.exe", but attaches "file.exe" as a hidden ADS.

[Image: h9AAT39.gif]

🔹 Why Are ADS Harmful?

⚠️ Malware can use ADS to remain hidden.
✔ ADS files do not appear in Explorer or normal file listings.
✔ ADS executables can be launched using standard commands (start, type) or scripted in VBScript, PowerShell, or Perl.
✔ Malware using ADS remains invisible to Windows Task Manager.

🚨 Key Risks of ADS Exploits:
✔ Malware can attach itself to legitimate files without modifying them.
✔ Attackers can store trojans, keyloggers, or ransomware in ADS.
✔ Rootkits and stealth malware use ADS to bypass antivirus detection.

🔹 Can ADS Be Disabled?
🚫 No. ADS cannot be turned off in NTFS.
✔ However, ADS can be scanned and removed using specialized tools.

[Image: h9AAT39.gif]

🔹 How to Detect and Remove ADS Files

ADS files are not difficult to delete, but they can cause problems if not handled properly.
➡️ Deleting the parent file also removes its ADS.

📌 Recommended ADS Removal Tools:
FRST
OldTimer's List It (OTL)
ComboFix
HijackThis (HJT) ADS Spy

[Image: h9AAT39.gif]

🔹 Removing ADS Using FRST

🔍 Example of ADS in an FRST Log:

Quote:==================== Alternate Data Streams (whitelisted) ==========

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]
AlternateDataStreams: C:\malware:malware.exe [134]

🛠 To remove this ADS using FRST
1️⃣ Run FRST
2️⃣ Create the following as a fixlist.txt in the same place as FRST:

Code
Start::
AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]
AlternateDataStreams: C:\malware:malware.exe [134]
C:\malware
Stop::

3️⃣ Click the Fix button
4️⃣ Let FRST remove the ADS.

[Image: h9AAT39.gif]

🔹 Removing ADS Using OldTimer's List It (OTL)

🔍 Example of ADS in an OTL Log:

Quote:========== Alternate Data Streams ==========
@Alternate Data Stream - 48 bytes -> C:\WINDOWS:5E0D2877D3BDDE45
< End of report >

🛠 To remove this ADS using OldTimer's List It (OTL):
1️⃣ Run OTL.exe
2️⃣ Paste the following script into "Custom Scans/Fixes":

Code
:Files
@C:\WINDOWS:5E0D2877D3BDDE45  
:Commands  
[purity]  
[emptytemp]  
[start explorer]  
[Reboot]

3️⃣ Click "Run Fix"
4️⃣ Allow reboot to complete the removal.

[Image: h9AAT39.gif]

🔹 Removing ADS Using ComboFix

ComboFix automatically detects & removes ADS entries.

🔍 Example of ADS Found in a ComboFix Scan:

Quote:scanning hidden files ...
c:\windows\system32\OLD4.tmp:ext.exe 32768 bytes executable
scan completed successfully
hidden files: 1


🛠 To remove ADS using a CFScript:
1️⃣ Open Notepad, then copy the following script:

Code
ADS::  
c:\windows\system32\OLD4.tmp

2️⃣ Save the file as CFScript.txt
3️⃣ Drag CFScript.txt onto ComboFix.exe
4️⃣ Let ComboFix remove the ADS automatically.

[Image: h9AAT39.gif]

🔹 Removing ADS Using HijackThis (ADS Spy)

HijackThis (HJT) includes an ADS removal tool called "ADS Spy."

🛠 Steps to Remove ADS with HJT:
1️⃣ Open HijackThis
2️⃣ Click Config (bottom-right)
3️⃣ Go to Misc Tools → Click ADS Spy
4️⃣ Click Scan to find hidden ADS files
5️⃣ Select ADS files, then click Remove Selected
6️⃣ Close HijackThis after cleaning

[Image: h9AAT39.gif]

🔹 Conclusion

Alternate Data Streams (ADS) are essential for Windows & applications but can be exploited by malware.
ADS malware remains hidden from traditional file explorers and process viewers.
Manual detection is difficult, but tools like FRST, OTL, ComboFix, and HijackThis can help detect and remove ADS threats.

🚀 Stay vigilant, scan regularly, and remove suspicious ADS entries to maintain system security!
RECENT ARTICLES
HF Rulez the Universe