Security News > 2024 > August > Bad apps bypass Windows security alerts for six years using newly unveiled trick

Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows' security warnings, including one in use for six years.

The research focused on ways to bypass Windows SmartScreen and Smart App Control, the go-to built-in protections against running potentially nasty software downloaded from the web in Windows 8 and 11 respectively.

Among the techniques uncovered by Joe Desimone, tech lead at Elastic, was one he dubbed "LNK Stomping," a bug in the way Windows shortcut files are handled that nullifies Windows' Mark of the Web - a digital tag placed on downloaded files that could be malicious if executed.

SmartScreen only scans files that are tagged with MotW and SAC is set up to block certain file types if they're marked, so any method that can circumvent MotW will naturally be a boon to malware miscreants.

This forces Windows Explorer to correct these small errors before launching the malicious app, but in the process of correcting these errors, MotW is removed, which means SmartScreen and SAC don't flag it as malicious.

Windows Explorer then recognizes the error in the target path and searches for the real executable, corrects the target path, and updates the file which in turn removes MotW. "We identified multiple samples in VirusTotal that exhibit the bug, demonstrating existing in the wild usage," said Desimone.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/06/bad_apps_bypass_windows_security/