Elastic Security Labs has unveiled a range of techniques that malicious actors might employ to execute harmful applications while evading Windows’ security alerts. Among these methods is one that has been in circulation for six years, drawing attention to the vulnerabilities within the operating system’s protective measures.
Bypassing Windows Protections
The research, led by Joe Desimone, the tech lead at Elastic, delves into strategies to circumvent Windows SmartScreen and Smart App Control (SAC). These built-in defenses are designed to protect users from potentially harmful software downloaded from the internet, particularly in Windows 8 and 11. One notable technique identified by Desimone is termed “LNK Stomping.” This exploits a flaw in how Windows handles shortcut files (.LNK), effectively nullifying the Mark of the Web (MotW)—a digital label indicating that a file may be dangerous if executed.
SmartScreen only scans files that carry the MotW tag, while SAC blocks certain file types marked in this way. Thus, any method that can bypass MotW becomes a significant advantage for those looking to deploy malware.
While this is not the first method to bypass MotW, its longevity and ease of exploitation warrant attention from cybersecurity defenders. Desimone emphasized that understanding this technique is crucial, even though Elastic has yet to receive concrete mitigation promises from Microsoft, which indicated that a fix might be forthcoming in future updates.
The “trivial” nature of this technique involves creating LNK files with unconventional target paths or internal structures. This prompts Windows Explorer to rectify these minor discrepancies before launching the malicious application. In doing so, the MotW is stripped away, allowing SmartScreen and SAC to overlook the potential threat.
Desimone noted that a simple way to trigger this vulnerability is by appending a period or a space in the target executable path, such as target.exe. or .target.exe. Windows Explorer recognizes the error, searches for the actual executable, corrects the path, and subsequently removes the MotW tag.
“We identified multiple samples in VirusTotal that exhibit the bug, demonstrating existing in-the-wild usage,” Desimone remarked. “The oldest sample identified was submitted over six years ago. We have also disclosed the bug’s details to the Microsoft Security Response Center (MSRC) and are releasing this information, along with detection logic and countermeasures, to aid defenders until a patch is available.”
In the interim, security professionals are encouraged to refine their detection strategies to address the vulnerabilities highlighted by SmartScreen and SAC.
Other Bypass Techniques
SmartScreen and SAC rely on reputation-based protections, and historically, one of the more challenging methods to bypass these systems has involved signing a malicious application with a code-signing certificate. Although acquiring such certificates should be difficult, given that certificate authorities are expected to issue them only to legitimate businesses, this remains a feasible tactic.
Desimone also pointed out several additional methods for circumventing reputation-based protections. One such technique, dubbed Reputation Hijacking, entails identifying a legitimate program with a strong reputation and manipulating it for malicious purposes. Script hosts are particularly vulnerable to this type of attack, but any application that can be controlled without common line parameters is also at risk. The presence of a foreign function interface (FFI) capability enhances the potential for loading harmful code into memory, making interpreters like Lua, Node.js, and AutoHotkey prime targets for exploitation.
Another method, Reputation Seeding, appears to be particularly effective. This involves creating a benign application and distributing it widely to build a positive reputation before injecting malicious code into it at a later stage. The initial benign behavior helps it evade detection by reputation-based systems until it’s too late.
As these techniques continue to evolve, cybersecurity professionals must stay vigilant and proactive in adapting their defenses. The research from Elastic Security Labs serves as a crucial reminder of the ever-changing landscape of cyber threats and the importance of continuous innovation in security measures.
