In another previous article we had seen a little trick to hide files inside a photo with the .jpg extension.
In that case, all that was done was to create a winrar archive inside the image file with whatever you want inside.
Clearly the size of this .jpg file becomes larger depending on how many files are in it and to open it just do "Open with .." and choose Winrar.
But viruses do not hide like this, not only would it be easy to find it, but a .rar archive is completely harmless, does not open anything in memory and does not activate any process.
They are called ADS ( Alternate Data Stream ) those files that are hidden inside another file, without changing its size and remaining completely hidden from the view of Windows .
When you open and run a file that contains an ADS, it activates the ADS and launches the program under it.
In this article we see how you can easily create an ADS with your PC and hide any file inside another so that when you run the ADS it is activated in its place.
1) Open Windows Explorer, go to disk C: and create a new folder whom we can call "Ads".
2) Inside, to test the experiment, create a new text file and call it "test.txt" and copy any photo or image that is on the computer and that can be renamed to immagine_test.jpg.
3) Open the command prompt found in Star -> Programs -> Accessories or by going to Start -> Run -> and write " cmd "
4) Now write cd \ ads to enter, via Dos, the folder created before.
5) To create an elementary ADS and begin to understand what they are, you can write " echo Ciao bello> test.txt: testonascosto.txt "; you may notice that no files have been added to the ads folder.
6) Write on the prompt " notepad test.txt: testonascosto.txt " and as if by magic the notepad opens with the text written before; in fact, something written has been hidden that remains invisible on the computer except by executing this type of command.
If curiosity starts to tickle the hacker spirit that is in each of us, let's go ahead and see what else can be done.
7) If hiding a text can only be used by CIA spies, a hacker can think of using this technique to hide a bad file inside a good one.
To make a practical experiment, you can copy the calc.exe file in the Ads folder, which is located in the Windows system folder and is used to open the normal calculator.
To copy the file to the Ads folder, just write " copy C: \ windows \ system32 \ calc.exe c: \ ads " on the command prompt.
8) Now you can insert the image_test.jpg file that we had taken before and which should still be inside the Ads folder, inside the calc.exe file.
To do this infiltration you have to write on the black DOS window that until now, we have never closed: " type immagine_test.jpg> calc.exe: immagine_test.jpg ".
9) Result: if you start the calc.exe file, nothing strange happens; if you start from calc the file calc.exe by writing like this: start ./calc.exe : immagine_test.jpg or start C: \ ads \ calc.exe: immagine_test.jpg (it always takes the whole path), it opens 'image chosen before and not the calculator; if you delete the image_test file from the Ads folder, the result does not change.
This means that the jpg file has been hidden inside the calc.exe file, it is no longer visible, the size of calc.exe has remained unchanged and there is nothing that signals the presence of the Data Stream.
Unlike the method used with Winrar, this time, there is no archive and the hidden file is activated and is executed when the host is started, by clicking on the calc.exe file from the open folder, the image does not appear.
You can also hide files inside a folder that will appear to be mistakenly empty.
10) You can create a new folder inside Ads and call it Ads2 then from Dos, write cd Ads2 and type the command " type c: \ ads \ calc.exe>: pippo.exe "; the calc.exe file is in the Ads2 folder but you cannot see it, neither with the " dir " command that shows the files in the directories, nor by going away explore resources with the normal graphical interface.
These are fairly old tricks but which many are unknown also because, in fact, they do not have a real utility, at least for normal users; they are the bad hackers who exploit them and, in the past, have done a lot of damage using Data Streams.
In fact, imagining that, in our example above, in point 8, instead of a normal and harmless image file, he had hidden inside the calculator, a real virus, it would be pain.
If then the real virus calls itself, for example svchost.exe which is present several times in the task manager, then it would be really difficult to find.
It does not end here, because an expert hacker knows that programs like the calculator or the notepad are always in the path C: \ Windows \ System32 so, potentially, it could go to corrupt that file, without having to create anything new.
Still, without inconveniencing viruses, you could hide a 10GB file inside a 10 Kbyte and, without understanding why, you could find yourself with the PC locked and without more space.
Fortunately, these security problems are largely overcome, antiviruses find hidden viruses on the fly and it is quite unlikely to suffer such an attack if you are protected.
The only recommendation I have to make is that, given the ease with which you can create a malicious file in this way, it would be the case not to accept any files from strangers, perhaps sent via MSN or by mail, even if these were photos, images, music, text files or whatever.
For the record, ADS only work on NTFS disk partitions and not on FAT32 therefore to delete an ADS File you can either delete the one that hosts it by deleting it or moving it to a FAT32 partition.
There are tools that can identify the Data Streams, and the best is the famous Hijackthis that we have already encountered several times in this blog.
On Hijackthis, by opening the "Misc Tools" you will find a utility called "ADS Spy" which scans the Streams and, if you want to remove them but, honestly, it would be an excessive security zeal also because many ADS are useful for Windows and you would risk doing damage.
In that case, all that was done was to create a winrar archive inside the image file with whatever you want inside.
Clearly the size of this .jpg file becomes larger depending on how many files are in it and to open it just do "Open with .." and choose Winrar.
But viruses do not hide like this, not only would it be easy to find it, but a .rar archive is completely harmless, does not open anything in memory and does not activate any process.
They are called ADS ( Alternate Data Stream ) those files that are hidden inside another file, without changing its size and remaining completely hidden from the view of Windows .
When you open and run a file that contains an ADS, it activates the ADS and launches the program under it.
In this article we see how you can easily create an ADS with your PC and hide any file inside another so that when you run the ADS it is activated in its place.
1) Open Windows Explorer, go to disk C: and create a new folder whom we can call "Ads".
2) Inside, to test the experiment, create a new text file and call it "test.txt" and copy any photo or image that is on the computer and that can be renamed to immagine_test.jpg.
3) Open the command prompt found in Star -> Programs -> Accessories or by going to Start -> Run -> and write " cmd "
4) Now write cd \ ads to enter, via Dos, the folder created before.
5) To create an elementary ADS and begin to understand what they are, you can write " echo Ciao bello> test.txt: testonascosto.txt "; you may notice that no files have been added to the ads folder.
6) Write on the prompt " notepad test.txt: testonascosto.txt " and as if by magic the notepad opens with the text written before; in fact, something written has been hidden that remains invisible on the computer except by executing this type of command.
If curiosity starts to tickle the hacker spirit that is in each of us, let's go ahead and see what else can be done.
7) If hiding a text can only be used by CIA spies, a hacker can think of using this technique to hide a bad file inside a good one.
To make a practical experiment, you can copy the calc.exe file in the Ads folder, which is located in the Windows system folder and is used to open the normal calculator.
To copy the file to the Ads folder, just write " copy C: \ windows \ system32 \ calc.exe c: \ ads " on the command prompt.
8) Now you can insert the image_test.jpg file that we had taken before and which should still be inside the Ads folder, inside the calc.exe file.
To do this infiltration you have to write on the black DOS window that until now, we have never closed: " type immagine_test.jpg> calc.exe: immagine_test.jpg ".
9) Result: if you start the calc.exe file, nothing strange happens; if you start from calc the file calc.exe by writing like this: start ./calc.exe : immagine_test.jpg or start C: \ ads \ calc.exe: immagine_test.jpg (it always takes the whole path), it opens 'image chosen before and not the calculator; if you delete the image_test file from the Ads folder, the result does not change.
This means that the jpg file has been hidden inside the calc.exe file, it is no longer visible, the size of calc.exe has remained unchanged and there is nothing that signals the presence of the Data Stream.
Unlike the method used with Winrar, this time, there is no archive and the hidden file is activated and is executed when the host is started, by clicking on the calc.exe file from the open folder, the image does not appear.
You can also hide files inside a folder that will appear to be mistakenly empty.
10) You can create a new folder inside Ads and call it Ads2 then from Dos, write cd Ads2 and type the command " type c: \ ads \ calc.exe>: pippo.exe "; the calc.exe file is in the Ads2 folder but you cannot see it, neither with the " dir " command that shows the files in the directories, nor by going away explore resources with the normal graphical interface.
These are fairly old tricks but which many are unknown also because, in fact, they do not have a real utility, at least for normal users; they are the bad hackers who exploit them and, in the past, have done a lot of damage using Data Streams.
In fact, imagining that, in our example above, in point 8, instead of a normal and harmless image file, he had hidden inside the calculator, a real virus, it would be pain.
If then the real virus calls itself, for example svchost.exe which is present several times in the task manager, then it would be really difficult to find.
It does not end here, because an expert hacker knows that programs like the calculator or the notepad are always in the path C: \ Windows \ System32 so, potentially, it could go to corrupt that file, without having to create anything new.
Still, without inconveniencing viruses, you could hide a 10GB file inside a 10 Kbyte and, without understanding why, you could find yourself with the PC locked and without more space.
Fortunately, these security problems are largely overcome, antiviruses find hidden viruses on the fly and it is quite unlikely to suffer such an attack if you are protected.
The only recommendation I have to make is that, given the ease with which you can create a malicious file in this way, it would be the case not to accept any files from strangers, perhaps sent via MSN or by mail, even if these were photos, images, music, text files or whatever.
For the record, ADS only work on NTFS disk partitions and not on FAT32 therefore to delete an ADS File you can either delete the one that hosts it by deleting it or moving it to a FAT32 partition.
There are tools that can identify the Data Streams, and the best is the famous Hijackthis that we have already encountered several times in this blog.
On Hijackthis, by opening the "Misc Tools" you will find a utility called "ADS Spy" which scans the Streams and, if you want to remove them but, honestly, it would be an excessive security zeal also because many ADS are useful for Windows and you would risk doing damage.
