Alternate data streams are a feature of the NTFS file system that enables data to be inserted into existing files and folders without affecting their functionality or altering their size. Windows Explorer or the DIR DOS-based command will not reveal these streams, which are generally used to store metadata about a file.
"Due to the hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected," said the RootkitAnalytics portal. Malware used to create the Rustock botnet used this technique.
StreamArmor features an alternate data stream scanner, which the organization says can recursively scan across an entire system. "All such discovered streams are represented using specific color patterns based on threat level, which makes it easy for the human eye to distinguish between suspicious and normal streams," RootkitAnalytics said.
The program can scan a variety of file types including executables, archive files, audio and video formats, and document files in formats such as PDF, Microsoft Office and XML. It uses heuristics to identify suspicious streams, and also references sites such as VirusTotal, ThreatExpert, and MalwareHash. It can be used to save selected stream content to a disk or USB drive, and can also be set to delete alternate data streams when discovered.
StreamArmor is a free product running on Windows (although on 64-bit versions, only 32-bit versions are supported).