Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows' security warnings, including one in use for six years.
The research focused on ways to bypass Windows SmartScreen and Smart App Control (SAC), the go-to built-in protections against running potentially nasty software downloaded from the web in Windows 8 and 11 respectively.
Among the techniques uncovered by Joe Desimone, tech lead at Elastic, was one he dubbed "LNK Stomping," a bug in the way Windows shortcut files (.LNK) are handled that nullifies Windows' Mark of the Web (MotW) – a digital tag placed on downloaded files that could be malicious if executed.
SmartScreen only scans files that are tagged with MotW and SAC is set up to block certain file types if they're marked, so any method that can circumvent MotW will naturally be a boon to malware miscreants.
This is far from the first MotW bypass technique that's been introduced over the years, but the fact it has been in use for so long and, as Desimone said, is "trivial" to exploit, makes it worth defenders taking some time to understand how it works.
But that's all that is on offer so far: understanding. The researcher said Elastic engaged Microsoft about mitigation and the tech giant said the it might be fixed at a later date – no patching promises here.
This "trivial" technique involves crafting LNK files with non-standard target paths or internal structures. This forces Windows Explorer to correct these small errors before launching the malicious app, but in the process of correcting these errors, MotW is removed, which means SmartScreen and SAC don't flag it as malicious.
Desimone said the easiest way to trigger this bug is to simply append a period or a space somewhere in the target executable path. Something like target.exe. would work, as would .\target.exe, for example.
Windows Explorer then recognizes the error in the target path and searches for the real executable, corrects the target path, and updates the file which in turn removes MotW.
"We identified multiple samples in VirusTotal that exhibit the bug, demonstrating existing in the wild usage," said Desimone. "The oldest sample identified was submitted over six years ago.
"We also disclosed details of the bug to the MSRC. It may be fixed in a future Windows update. We are releasing this information, along with detection logic and countermeasures, to help defenders identify this activity until a patch is available."
In the meantime, security pros are advised to adjust their detection engineering in line with the coverage gaps that are on display by SmartScreen and SAC.
Other bypasses
SmartScreen and SAC are both reputation-based protections, and the historically tried and tested, yet difficult to execute, method of bypassing these was to sign a malicious app with a code-signing certificate.
In theory, these should be difficult to acquire given that certificate authorities should only be issuing these to legitimate businesses, although it's still very much a viable practice.
Desimone also highlighted a number of other methods for bypassing reputation-based protections, including one technique he called Reputation Hijacking, which involves identifying an existing program with a good reputation and meddling with it for malicious means.
The researcher said script hosts are ideal for this kind of attack, although any app that's controlled without any common line parameters would work. If it includes a foreign function interface (FFI) capability, even better, because this can be used to load bad code into memory. Lua, Node.js, and AutoHotkey interpreters are ideal targets for repurposing here, he said.
- Microsoft squashes SmartScreen security bypass bug exploited in the wild
- Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit
- Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year
- Microsoft: Patch this severe Outlook bug that Russian miscreants exploited
Reputation Seeding appears to work best with SAC. SmartScreen sets a higher threshold before trusting an application, Desimone said. This attack involves an attacker dropping a binary that appears trustworthy but can be exploited at a later time, such as when certain conditions are met. It could also contain a vulnerability an attacker can exploit later on, for example.
Lastly, Desimone said Reputation Tampering is also an option. This method involves carefully changing specific code sections of apps that are deemed benign by SAC in a way that lends support for an attack, all while maintaining their benign reputation.
"Through trial and error, we could identify segments that could be safely tampered with and keep the same reputation. We crafted one tampered binary with a unique hash that had never been seen by Microsoft or SAC. This embedded an 'execute calc' shellcode and could be executed with SAC in enforcement mode," the Elastic tech lead said. ®