Windows Security Threat -- NTFS Alternate Data Streams

Dennis Faas's picture

Since we're on the hot topic of hackers and hacking lately, I thought I'd share with you another great resource that Eric B. sent me. The web site is called myNetWatchman. The myNetWatchman program (agent) gives users a heads-up that they have a security problem, if their system becomes infected with an Internet Worm virus.

There's also some super-cool reading on their web site (RE: 'Windows Forensics') which shows how multiple non-hostile applications combined can lead to a hacking threat. I'm not going into great detail because I don't want to spoil it for you; however, I will say that the information is a bit technical but surely makes for a good read!

Moving on to a related topic: Windows Security

I received an email this week from a fellow who wishes to remain anonymous; herein, we will refer to him as John Doe. In a nutshell, John Doe proposes that the Microsoft NTFS Windows File System suffers from major security flaws (through system Fork Commands) which can potentially allow personal data to be intercepted by hackers.

While I was only able to provide John Doe with a satisfactory resolution to his problem, I thought I would share with you his email in hopes of getting some better answers from the readers of the Gazette.

This information is both complex and technical -- but that shouldn't deter you from trying to understand it! I have decided to leave much of John Doe's email intact, but have made an attempt to clear some confusion by writing my own comments to make it a bit easier for Newbies to understand.

Without further adieu, John Doe writes:

" Greetings, Dennis! First, a thank you for the fine job you do with infopackets; though I'm not a newbie, I still find your newsletter to be one of the more informative newsletters I receive. I do have some questions I hope you can help with, but they are fairly technical. If you are unable to provide answers, hopefully you can point me in some alternate directions.

First, I'm wondering the security implications of alternate data streams under the NTFS file system. I do understand the reason for the streams is to enable NTFS file system compatibility with Macintosh files: Mac files fork - a data fork and a resource fork: NTFS uses the data fork, but the resource fork can be used to create a hidden file. As far as I know, there are very few legitimate programs that use alternate data streams (I believe InnoculateIT is one).

I've found several in a Win XP Pro (a clean install that's only 3 weeks old) - the first time I checked for them, I found 36: most were from Spyware like Doubleclick cookies and were easily eliminated; however, I'm still showing 8 that originate from the various .DBX* files in My Documents and its subfolders (C:\Documents and Settings\JDoe\My Documents) with an encrypted parent file.

Side note: DBX files are Outlook Express email Folder Files.

The little I have been able to find was from the DiamondCS site ( - publishers of the TDS anti-trojan program, they also have a freeware utility for detecting ADSs on the site), and from the MS Knowledge Base. The most relevant article for explaining an ADSs is Q105763: How to Use NTFS Alternate Data Streams. You can also search for "alternate data streams" as the search phrase at the Microsoft web site and you should receive approximately 14 returns.

Microsoft seems to be aware of the issue, and it's hard to get information from them. MSN is my ISP [Internet Service Provider], and was told flat out by a level 2 tech person that they could lose their job for discussing that issue. The level 3 tech support person, though not as direct, did tell me I should contact Windows XP support.

I'm currently working with two MS Win XP Pro groups there - a performance team in professional support and a networking team in developer support. So far, neither has been particularly helpful, and I'd expect XP Pro support (under the professional support option, not personal support option), to be more familiar with both the issue and its implications. (I also think it's interesting that they waived all charges for support on this. It's not an installation issue, which would be covered; and I don't have any support contract with them.)

My second question has to do with hidden windows. Win XP, at least (I haven't yet checked my Win 2k and Win 98se systems for these) has 3 particular hidden Windows that run as memory objects: CSCHiddenWindow (flags WS_OVERLAPPED | WS_CLIPSIBLING | WS_CAPTION) - that's all I've been able to discover about this window so far; it's process ID is 224, though I don't know for sure it that process is the one supplied by Windows (I think it is), or by the program I used to discover it. If you bring that window into view, it takes a screenshot of whatever is on the screen (I'm running a 19' monitor at 1280x1024, and it appears that window has a default setting of 1024x768, which would enable a whole screen shot.

The other two hidden windows of note are - as far as I know - only present if you have fax services and/or windows agent installed. Those hidden windows are, respectively, FaxMonWinClass - HiddenFaxWindow (the registry key on my system is 3FD224BA-8556-47fb- B260-3E451BAE2793), process ID; and AgentNotifySinkWindow - AgentControlHiddenWindow, process ID 66706.

Bringing any of these windows out of their hidden status so they show results in a snapshot of whatever is on your screen - very similar to a print screen utility. And all are connected to various Windows services that seemingly would it possible for MS or a reasonably sophisticated hacker to send screen captures in real time if you're connected to the Net, or to store screen shots for later transmission. I have no idea how to check on that, short of monitoring the quantity of data sent and received while online or using an internal port scanner and packet sniffer [A program used by hackers to extract ("sniff") passwords from an unsuspecting user].

It's a question that's been churning around the back of my mind lately: Since July, I've had an inordinate number of problems with MSN's Passport service, and now more recently with Win 2k and XP.

It may turn out to be nothing, but I've got a funny feeling about this one - either it's a known security problem and MS isn't talking about it (the reason it came to my attention was I think I've some kind code in my system - whether a trojan, a hijacker, a keylogger*, or what, I don't know -- and have so far been unable to positively identify anything); or MS is using these processes for whatever purposes (I'm not a MS basher, and not a conspiracy nut - but the Fed court did order monitoring of Passport for quite a few years because MS actively misrepresented both the capability to collect personal information and the extent to which they were doing so.

Thanks for your time and attention to these questions and issues. " Side note: A keyLogger is similar to a Sniffer, except it extracts passwords as it is typed on a keyboard and stores them in a separate file or sends them to a hacker for later use.

At this time I would also like to point out the wonderful article that David Rittenhouse sent me a little while ago which deals with Information Security and Privacy available on our web site (crammed full of links to information and software): Information Technology Abuse -- Privacy Issues, Part 1 of 2, and Part 2 of 2.

Rate this article: 
Average: 4 (1 vote)