A couple of months ago, we wrote about the so-called Microsoft Shortcut Hacking by demonstrating two different techniques on how to exploit the shortcut command line to execute possible malware.
Shortcuts are often considered as something relatively harmless by regular users, because they simply point to another location to an existing file. Therefore people usually do not take enough care about security when it comes to executing a shortcut that arrived via another location (USB key, mail attachments, archives, etc.)
The problem with a shortcut file is the fact it wasn’t only designed to point to another location (file or folder), but also to run commands. Like a physical file equivalent for the ALIAS command in Linux Systems.
It was only yesterday that we reported about a way of infecting Microsoft Windows users by using a simple shortcut trick with the BITSAdmin Tool to download and execute a remote application.
If you haven’t already read the article, please click here.
The main issue with the first example is that your firewall could potentially block the download attempt since it requires a remote http/https connection to download the file before its execution.
Our security researcher has found another sneaky way of exploiting the Windows shortcut with a new 0day by embedding any files (such as application files) directly inside the shortcut itself.
This makes the malicious application fully undetectable by any antivirus software before it will be dropped and executed.
Note: An an example, in the PoC mentioned below, we decided to use this vulnerability as a file dropper, but we could also create a version that injects the binary file directly into memory without being written to disk to become even more undectable for antivirus software on its execution. We will probably write another article about this method later
We came across a way of installing malware threats in a Microsoft Windows Operating System using the well-known Shortcut System that nearly everybody uses and blindly trusts.
Because of it's very nature, it is quite hard to detect. Removal might even be more difficult.
To describe this threat, we shall first describe a native Windows program, called BITSAdmin Tool and which is embedded in Windows since Windows XP SP2. Follow this MSDN link for more information about how to use it and what it is used for.