The first  is just how ADS aware IIS is. IIS will serve up an ADS as a file. So for example, if you have a file called boring.html, which has an ADS called interesting.jpg, you can access the ADS by entering http://somedomain.com/boring.html:interesting.jpg as your URL. (I’m sorry I can’t provide an example here as I’m not using Windows to host this domain). If instead of a jpeg the ADS is server side code (like php), IIS will even execute the php code as you would expect. I suspect this is a great way for hackers to silently leak data from inside a network to the outside. All of that aside though, if you download a file from a web server which has ADS, IIS will not send the ADS along with the file – it will only send the main part of the file.

The second thing I’ve come to realize is that a lot of applications use ADS for “legitimate” reasons. The most common one is Internet explorer. Every file you download using IE has an ADS called “Zone.Identifier” attached to it. This ADS contains a ZoneID, which is a number from 0-4. The number indicates which zone the file was downloaded from. If the file was downloaded from the internet (zone 3) Windows XP SP2 and newer bring up the dialog box you see on the right, prompting the user to ensure they really want to run the app. If you want to disable this behavior, you can follow instructions found on the Microsoft website.

On a related note, I just want to quickly put in a plug for LADS – List Alternate Data Streams – it is a very good, simple, easy to use, quality program. Also, it’s free.