Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
A Malicious LNK Stealer Part 1
Message
<blockquote data-quote="ForgottenSeer 98186" data-source="post: 1031219"><p>AV generally does not even attempt to detect malicious LNK files. Some will detect malicous LNK command lines while most others will deal only with the downloaded or executed malware. Sometimes the behavioral analysis will block any used sponsors from connecting out to the network to download malware. How AVs handle malicious LNK and command lines is all over the place.</p><p></p><p>Once the malware is downloaded to the system the AVs deal with it as they would any other file downloaded from the internet. If malware is "missed" then that has nothing to do with the LNK file download method. MOTW or not, a default allow has to detect a malicious file to protect the system.</p><p></p><p></p><p>This is a problem as malicious LNK files are increasingly being delivered to corporate email addresses.</p><p></p><p></p><p>Every single LOLBin can be blocked without any issues. Some enterprises do it. Their LOLBin blocklist can include 250+ processes shipped with Windows on workstation and server. That does not include all of the firewall block rules or firewall automation to deny access to any approved process from a particular source IP address. Any problems arise when talking about unmanaged home users who want to use stuff.</p><p></p><p>I have yet to hear of a single infection caused by LNK method on a properly configured system. There configurations are layered so that if one layer fails, there is a cascade failover that blocks the attack at the next layer.</p><p></p><p>New LOLBin discoveries are not frequent. The lists have remained essentially static over the years, with a couple of new processes added to the list every couple of years.</p><p></p><p>I do not take the perspective that this forum is intended only for home users. What is done at the enterprise level is pertinent to home users because when it comes to Microsoft native security, Microsoft uses the "Hand-Me-Down" security model from enterprise to unmanaged home users. It surprises me that more people are not outraged by this behavior. Microsoft gives unmanaged home users - the most vulnerable and insecure group - the least amount of security by default. This is primarily due to the obsolete dinosaur thinking that "users that want to use stuff" should be allowed to do what they want. That is ridiculous.</p><p></p><p></p><p>At least with SRP one can whitelist known, good LNK files and block others by default.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 98186, post: 1031219"] AV generally does not even attempt to detect malicious LNK files. Some will detect malicous LNK command lines while most others will deal only with the downloaded or executed malware. Sometimes the behavioral analysis will block any used sponsors from connecting out to the network to download malware. How AVs handle malicious LNK and command lines is all over the place. Once the malware is downloaded to the system the AVs deal with it as they would any other file downloaded from the internet. If malware is "missed" then that has nothing to do with the LNK file download method. MOTW or not, a default allow has to detect a malicious file to protect the system. This is a problem as malicious LNK files are increasingly being delivered to corporate email addresses. Every single LOLBin can be blocked without any issues. Some enterprises do it. Their LOLBin blocklist can include 250+ processes shipped with Windows on workstation and server. That does not include all of the firewall block rules or firewall automation to deny access to any approved process from a particular source IP address. Any problems arise when talking about unmanaged home users who want to use stuff. I have yet to hear of a single infection caused by LNK method on a properly configured system. There configurations are layered so that if one layer fails, there is a cascade failover that blocks the attack at the next layer. New LOLBin discoveries are not frequent. The lists have remained essentially static over the years, with a couple of new processes added to the list every couple of years. I do not take the perspective that this forum is intended only for home users. What is done at the enterprise level is pertinent to home users because when it comes to Microsoft native security, Microsoft uses the "Hand-Me-Down" security model from enterprise to unmanaged home users. It surprises me that more people are not outraged by this behavior. Microsoft gives unmanaged home users - the most vulnerable and insecure group - the least amount of security by default. This is primarily due to the obsolete dinosaur thinking that "users that want to use stuff" should be allowed to do what they want. That is ridiculous. At least with SRP one can whitelist known, good LNK files and block others by default. [/QUOTE]
Insert quotes…
Verification
Post reply
Top