ADVERTISEMENT

Unofficial Solution to Windows Bug Used to Infect Home Computers with Ransomware

Patrick Schlapfer, an HP malware analyst, noted the malicious JavaScript found in the Magniber ZIP archives did have the MotW flag, but it still executed without a SmartScreen alert to either halt the requested actions or warn users against proceeding. This is what you would expect from an archive that’s been downloaded via the internet. Acros CEO Mitja Kolsek confirmed SmartScreen was being bypassed.

ADVERTISEMENT

Microsoft’s SmartScreen is supposed, among other things to block malicious files and warn users if a suspicious file appears. But the Magniber ZIP archive was able to bypass that process completely. This means that there is a Windows bug that prevents the MotW flag from being applied to internet-sourced files. Now, there is an exploitation of a similar vulnerability where MotW is still in effect but has no effect.

Kolsek stated that Windows 10 and Windows 11 allow users to open potentially harmful files. SmartScreen inspects the file and determines whether the file can be launched.

It turns out that the Magniber ZIP script file bypasses SmartScreen because of a broken digital Authenticode sign.

Windows is confused by this signature and the script can run regardless of whether its MotW flag has been set.

Analygence’s Dormann tweeted on October 18 in reply to Schlapfer. It stated that “if the File has this Malformed Authenticode Signature, the SmartScreen/or File-Open Warning Dialog will be skipped regardless Script contents as if there are no MotW on it.”

Microsoft’s Authenticode digital code-signing technology identifies the publisher. It verifies that the software was not altered after it has been signed and released. Dormann discovered that the script file signatures were badly formatted to the point where Windows could not properly interpret them. Koslek explained that Windows trusted them and allowed malicious executables to execute without warning.

Acros Security further examined the matter and found that SmartScreen returned an error when it attempted to decode the malformed signature. This caused the operating system’s inability to stop the program from running and infecting the machine.

Acros’s most recent micropatch, which was released on October 28, works with Windows 11 version 21H2, eight Windows 10 versions, including 21H1-21H2, and Windows Server Versions 2019-2022, according to our sources.

Microsoft spokesperson told us that the company was aware of the vulnerability and is investigating the matter to find the best way to fix it.

<< Previous

Related Articles

Apple Talks Up High-End iPhones

Apple Signs Ultra Model of High-End iPhones

Meta’s Reality Labs lost $13.7 billion

Meta’s Reality Labs Spent $13.7 Billion Last Year on AR and VR.

Google Employees Are Unhappy

Google May Unveil Its ChatGPT-clone on February 8

Amazon beats on fourth-quarter revenue

Amazon Beats Fourth-Quarter Revenue, but Gives Light Guidance

new Galaxy S23 smartphone lineup

Samsung Unveils New Galaxy S23 Smartphone Line With Enhanced Camera And Gaming Capabilities

Instagram's founders

Instagram’s Founders Have A New App

bypass Facebook 2FA

Hacker Discovers Bug that Allows Anyone Bypass Facebook 2FA

MusicLM

Google Has Created ‘MusicLM’, an AI That Converts Text to Music.

Google alum Elad Gil

ChatGPT Has Been Down , but People Still Use It. Elad Gil, Google Alum, Says This Is Bad Silicon Valley Advice.

Audi’s new EV

Audi’s New EV Luxury SUV is Augmented Reality and Doubles As a Pickup

ADVERTISEMENT