Windows Security Threat -- NTFS Alternate Data Streams, Part 2

Dennis Faas's picture

This issue of the Gazette is dedicated to "tying up a few loose knots" from our ongoing discussions about Hackers and Security threats.

First, I'll give you all an update to Gazette issue dated October 10, 2002 (Windows Security Threat -- NTFS Alternate Data Streams). To recap: an anonymous reader (John Doe) sent in an email that discussed a potential security risk in Windows which might allow a hacker to take a screen capture of a computer with the NTFS file system installed.

I realize that this article was a bit on the "technical side", but I did my best to clear up any techy-talk with some newbie-speak lingo of my own (written in green). I am also pleased to say that I received a few emails from tech-savvy Infopackets Readers with suggestions to John Doe's problem.

Agneta L. writes:

" I have some suggestions to John Doe:

Go to, and read about the NTFS file system by Dmitrey Mikhailov.

Snippet from the web site: "The Microsoft operating systems of the Windows NT set cannot be imagined without NTFS file system - one of most complex and successful of existing at present file systems. The given article will tell you what features and disadvantages this system has, on what principles based the organization of the information and how to keep the system in the stable condition, what possibilities NTFS offers and how they can be used by the common user."

Go to, and get Process Explorer.

Snippet from the web site: "Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded."

Go to, and get Dependency Walker.

Snippet from the web site: "Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module / program (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module ... Dependency Walker is also very useful for troubleshooting system errors related to loading and executing modules.

With the help of this free, excellent tools, maybe your sky will be a little clearer. Now I must go out and get some logs for the fire!

Warm greetings from cold Sweden! "

Hazem E. also wrote in:

" I guess this would be called 'shameless self promotion', but I guess it just fits in your ongoing discussions about Hackers and Spyware:

Mizo - XP Netstats Bar is an application that monitors all of the open ports on your computer. It tells you what ports are open, what addresses they are trying to contact, and what applications are trying to open these ports. It is extremely important for you to know what is going on behind the scenes as this will help you prevent Spyware and even hacking on you computer. "

With that taken care of, I also have to make a correction to October 9th's issue of the Gazette which talked about the web site "My Net Watchman (myNetWatchman)". Originally, I reported that the myNetWatchman web site was a free firewall-monitoring service which sends frequently reported hack attempts (from the myNetWatchman users) to Internet Service Providers. Unfortunately, that was not correct. I was lucky enough to have received an email from the author (Lawrence Baldwin) with regards to our ongoing discussion about Hackers. He writes:

" The myNetWatchman agent / web site not about stopping hackers; that's NOT the problem -- please visit myNetWatchman.

The people probing you are NOT hackers, they are just innocent victims who have been compromised by a worm or virus. The reason we should try to notify them should not be represented as "fightback at hackers", "retailation", etc... rather it's about "outreach" ... giving infected users a heads-up that they have a security problem.

Regarding Spoofed IP addresses:

The idea that a spoofed packets is a big problem in analyzing firewall events is just wrong. Yes it can happen, but it is extremely rare. The intent of most port scanning is for information gathering. If an attacker spoofs their IP, then they will never get any responses to their probes...thus defeating the purpose of the scan.

About the only scenario where port probes might be spoofed is under the following cases:

  • The attacker is looking to discredit the owner of the IP address they are spoofing
  • The attacker is using *decoy* scanning...that is they are sending out each port probe using 100 different IP addresses...99 of them are spoofed, 1 is their real IP.

Again, attackers rarely worry about hiding the source of the host they are scanning from, as they never scan from their own systems, but rather from other systems that have been previously compromised. So what if someone reports the probes and the owner of that system secures the box...they've got hundreds of other hosts to use as launching pads so they just move on to the next one.

At any given time I expect there are about 5-10MM compromised or easily compromisable hosts on the Internet. It's not the hackers themselves that pose the most serious threat to our infrastructure, but rather the millions of hosts readily available to do their bidding.

DDoS attacks (denial of service) can be spoofed and such are a very serious issue, but rarely such attacks directed at individual Internet users (unless they are stupid enough to anger someone on an IRC channel). Some of these issues and more are discussed at myNetWatchman. Many thanks for the exposure! I already see that we've picked up about 30 active agents shortly after you sent out your newsletter. I only wish I had 10,000."

Rate this article: 
No votes yet