The more I read about Alternate Data Streams (ADS), the more I don’t trust them.
I found that there are 10 Things to know about ADS.
1. There is no limit on the size of streams and there can be more than one stream linked to a normal file.
ADS are not visible in explorer or via command prompt. In fact, their size is also not reported by Windows!
2. Streams can be attached not only to files but also to folders and drives!
3. The content of an ADS should not be considered limited to simply text data.
Any stream of binary information can constitute a file which includes executables, Mpeg files, Jpeg files etc.
4. ADS have no attributes of their own.
The access rights assigned to the default unnamed stream are the rights that control any operation on ADSs such as creation, deletion or modification.
This means if a user cannot write to a file, that user cannot add an ADS to that file.
A user with guest privileges can also create such streams in every file where he has write access.
5. Some Browser helper Objects (BHOs) have started storing their malicious files inside ADS and very few anti-spyware/malware actually detect it.
6. Windows File Protection prevents the replacement of protected system files; it does not prevent a user with the appropriate permissions from adding ADS to those system files.
The System File Checker (sfc.exe) will verify that protected system files have not been overwritten, but will not detect ADS.
7. Microsoft Windows provides no tools or utilities either within the operating system software distribution or the Resource Kits for detecting the presence of ADS.
8. The stream can only be executed if called directly by a program with the full path to the file given.