What is NTFS data flow

With the increasingly powerful anti-virus software features, Trojan virus is no longer limited to set file attributes to achieve the purpose of hiding itself. A more covert, more dangerous file hiding way is gradually used by Trojans, through this method, Trojan can be "invisible" in the system, and even avoid the overwhelming majority of anti-virus software Avira, this method is to use the NTFS data stream hidden Trojan. NTFS data stream is a normal function in the NTFS file format, but it can be used by some Trojan virus, and antivirus software on the NTFS data stream file detection ability is very weak, many Trojan virus take advantage of this opportunity, using NTFS data stream to completely hide themselves in the system. Let's have a "close touch" with the NTFS dataflow Trojan.

Figure one: NTFS format

What is an NTFS data stream?

Before we introduce the NTFS data stream, let's take a quick look at the NTFS file system. NTFS is supported by the Microsoft Windows NT core family of operating systems, a disk format specifically designed for management security features such as network and disk quotas, file encryption, and so on. NTFS is more stable, more secure, and more powerful than the FAT file system. If you want to convert the FAT file system to an NTFS file system, you can convert the partition's file system to NTFS by entering "Convert partition drive:/fs:ntfs" in the command prompt.

NTFS-Switched data streams (alternate data streams, or ads) are an attribute of the NTFS disk format, where there can be multiple streams of data per file under the NTFS file system, meaning that many non-primary file streams can be hosted in the main file stream in addition to the primary file stream. It uses resource derivation to maintain file-related information, although we cannot see the data stream file, but it is actually present in our system. The way to create a data interchange stream file is simple, and the command is "host file: Prepare the data flow file associated with the host file".

Figure II: Data Flow

So why can't we see the data stream files in the system, which Windows deliberately set to prevent us from accidentally deleting the data stream file? No, we can't see the NTFS data stream file in the system because many of the tools in Windows are not very good at supporting data flow files, like "Explorer," and we can't see changes in the data flow file in the Explorer. This flaw allows the Trojan to have the opportunity to hide itself through the NTFS data stream and disappear from the explorer. For example, the file hiding feature in a rootkit Trojan is the use of NTFS data streams.

More relevant content can be found on the NTFS for Mac website.

What is NTFS data flow