Alternate Data Stream(ADS) : Windows File System Vulnerability

Alternate Data Streams (ADS) are a feature of the NTFS file system allowing additional data to be stored within a file without modifying its original content. This additional data resides in alternate streams, such as the resource stream containing metadata. A common example is the thumbnail preview displayed for certain file types. Attackers exploit ADS to hide malware, embedding malicious payloads in a file's alternate stream. This technique evades traditional antivirus software and static scanning tools, as the malware is hidden from standard file viewers. The malware can be an executable file concealed within a seemingly benign file like a text document. Even if the main file is empty, the hidden executable will exist within its ADS. Accessing and executing this hidden malware often requires elevated privileges, potentially achieved through techniques like exploiting UAC vulnerabilities. The attacker could then leverage this to execute malicious code during a Windows update check. This highlights the security risks associated with ADS and the need for advanced security measures. Understanding ADS is crucial for identifying and mitigating this type of threat.