Hackers and malware authors have a strong motivation to keep you from finding their malicious software on your system. If you find it, you can delete it. If you delete it, the malware author doesn’t make money—yes, this is a for-profit business. Panda software, a respected anti-virus and anti-malware vendor, reports that from January – March of 2006, 70% of the malware released on the Internet was trying to make money for the authors in one way or another. For additional information on that report, visit | Global Knowledge Expert Reference Series ofWhite Papers Alternate Data Streams What s Hiding in Your Windows NTFS 1-800-COURSES Alternate Data Streams What s Hiding in Your Windows NTFS Keith Palmgren Global Knowledge Instructor CISSP Security TICSA Introduction Hackers and malware authors have a strong motivation to keep you from finding their malicious software on your system. If you find it you can delete it. If you delete it the malware author doesn t make money yes this is a for-profit business. Panda software a respected anti-virus and anti-malware vendor reports that from January - March of 2006 70 of the malware released on the Internet was trying to make money for the authors in one way or another. For additional information on that report visit http about_panda press_room Quarterly PandaLabs . The old ploy of hide in plain site isn t as reliable as it needs to be for the profit-minded malware author. For example placing a malicious executable in a file called under the directory c winnt system32 os2 dii might work fine in Windows 2000 since few people would be inclined to mess with that file. But that filename does not work in Windows XP because the system32 os2 directory does not exist in XP. Malware authors want a more reliable means of hiding malicious files. Enter Alternate Data Streams or ADSs you will also find information referring to them as NTFS Streams . Every NTFS file system is capable of creating and maintaining ADSs. This is a feature added to the NTFS file system for compatibility with Macintosh computers. The Mac maintains certain information about a file that Windows does not. When you share files between a Mac and Windows that additional information is kept in an ADS on the NTFS-based Windows system. Of course anything that exists for a valid reason can be misused in an invalid malicious way. ADSs seem to be the best kept secret of the Microsoft world. Very few people .