# Obfuscating malware in NTFS Additional Data Streams

While analyzing some malware I found something stickyicky. The malware I found used NTFS Additional Data Streams (ADS) to obfuscate its autostart in the registry. NTFS allows to save additional data streams (ADS) since Windows NT 3.51. It seemed to me, that the authors used the following technique to hide and obfuscate their malware:

```type evil.dll > c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor
```

In

```[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
```

I found:

`rundll32.exe c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor,WindowsSecureStartup`

Well, this is cool; although it will not trick a malware analyst.