[mdlug] The new "surface" computer
Robert Adkins
radkins at impelind.com
Tue Jul 17 14:04:51 EDT 2007
>> Did you know that there is a method in the NTFS file system to truly
>> and effectively hide files? I forgot the exact name of the feature, I
>> believe it's called "slip" something. What it does is allows you to
>> "hide" files by filling in the remaining bits of a cluster that aren't
>> fully used by the real/visible file. It's slipping a file into/under an
>> existing file and it supposedly completely hides the file.
>>
>> I have no idea why anyone would consider that a "good" feature that
>> would be acceptable in a "secure" environment, since one could use that
>> feature to sneak secrets out of a computer network within an otherwise
>> benign file.
>>
>
>
> That NTFS feature is called "alternative data streams". Play with it
> a little...it's actually interesting. You can do something like
> create a 1 KB text file, and then hide a 500 KB executable in it. The
> thing still looks like a 1 KB text file that you can open and use like
> any regular text file, but you can also run the executable hidden in
> it with a simple command. Some spyware and trojan writers have
> learned to utilize alternative data streams to hide their files. Many
> anti-spyware and anti-virus programs don't search for alternative data
> streams. Windows also does not come with any tool to let you find
> alternative data stream in your filesystem. If you want that, you
> have to download tools like Sysinternals' Streams (now owned by
> Microsoft). From what I understand Apple has something similar in
> their OS, but I'm not much into Apple.
>
> -Joseph
>
Pardon my language...
That is a fucking ridiculous feature that serves no legit purpose.
-Rob
More information about the mdlug
mailing list