Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files

An anonymous reader shares a report: Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system. With each passing day, more and more exploits are being uploaded on VirusTotal.

Doesn't Microsoft hire black hats?

[mykepredko]

Good description of the .SettingContent-ms exploit - I would have thought that this would jump out to a Malware author as soon as the feature was announced (regardless of the fact that there is ASR used by large network sysadmins).

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this? At the very least shouldn't somebody have twigged onto the idea that providing a new way to allow new programs to run (as well as spawn new processes) be something that Microsoft security should review?

Re:Doesn't Microsoft hire black hats?

This is Windows 10... You just said Microsoft, Security and Review in the same sentence? Christ everybody drink.

Re:Doesn't Microsoft hire black hats?

[JaredOfEuropa]

One really doesn’t have to be a blackhat to spot at least some of the various issues of this feature. This isn’t security expert stuff, but “what the hell were they smoking” territory.

We wouldn’t need these shortcuts in the first place if MS kept the control panel at least somewhat consistent between versions, instead of rearranging the control panel and every damn thing in it on every release. Including Windows Server releases. IIRC some stuff (might have been Exchange related) went from a control panel item to something under the start menu to a double secret (separately downloadable) MMC snap-in (and who came up with that brilliant idea) to a web interface.

Re:Doesn't Microsoft hire black hats?

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

From the article:

"Nelson contacted Microsoft, but they do not consider this a vulnerability in the OS. "

Re:Doesn't Microsoft hire black hats?

[gweihir]

Microsoft does not even have real testers anymore....

Re:Doesn't Microsoft hire black hats?

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

Yes, unfortunately they work for covert intelligence agencies and hope the problem slips into the wild long enough to ex-filtrate the data they need abroad.

You don't get successful as a big tech biz unless you're in with the alphabet soup. Sorry to pop your cherry, kiddo, but this is the real world.

Re:Doesn't Microsoft hire black hats?

[LVSlushdat]

Shit like this makes sooooooo VERY happy I no longer allow ANYthing MS on any network I control...

Re:Doesn't Microsoft hire black hats?

[mykepredko]

That's exactly what I thought when I RTFA, but I wasn't sure if I was missing something.

Re:Doesn't Microsoft hire black hats?

[AHuxley]

Its like a new deep Microsoft Chrome https://en.wikipedia.org/wiki/... but deep in the OS and browser. To make the ads and support work.

Re:Doesn't Microsoft hire black hats?

[Blue+Stone]

>Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

From the looks of Windows 10, they don't even have Quality Assurance reviewers anymore.

Re:Doesn't Microsoft hire black hats?

[DeVilla]

Doesn't Microsoft have a bunch of people on staff that think like black hats (probably because they used to be them) with the task of looking for problems like this?

I assumed that was who they had developing the system. I figured it was obvious when the original versions of Win10 would send your wireless credentials to everyone on any contact list it could find.

Re:Why Did BSD Die?

Berkeley once had a Free Speech Movement. Now the kids want to kill off free speech in favor of something much more awful.

You might have meant something different from me. But both had Berkeley in the there.

Happy 4th of July ya'll! You can still rock in America (subject to the whims of the politburo)

Re:Why Did BSD Die?

Berkeley is now at the heart of destroying the free speech and freedom of assembly and association. It is a truly stunning turnabout from freedom to totalitarianism.

FreeBSD and its relatives have institutionalized a thought police. If you don't agree with their manifesto of leftist SJW taking points you will be kicked out. You won't even get email support. Some of the infractions are disagreeing with open borders, voting for Donald Trump, questioning global warming, believing that marriage is a tradition defining the relationship between man and a woman. The FreeBSD manifesto is chilling, shocking, and unimaginable. It is no fucking wonder that FreeBSD is deep in the shitter. If they spent half as much time addressing bugs and features as they do SJW stuff, then they might not be scraping rock bottom.

Vulnerability description

In case this is news to you and you're wondering about this vulnerability, here's a description.
Microsoft has introduced a new file format (extension: .SettingContent-ms) to link to settings pages. In this format a <DeepLink> tag contains the application to run in order to display the settings page. So like program information files (.pif), shortcuts (.lnk), batch files (.bat) and so on these should be treated as executable programs, because these files can do anything the author wishes. Just specify "%WINDIR%\System32\cmd.exe /c ..." as the command line.
But apparently Microsoft itself didn't appropriately mark the new shortcut file type as executable and because it's a new file type, third-party vendors of things like anti-virus software, web browsers and e-mail clients haven't caught up yet either.

Re:Vulnerability description

[RandomFactor]

It gets better.

The actual extension name confuses at least one major email protection service and it won't catch an email containing it even if you do add it to your extension/type blocks. Test after blocking.

Also worthy of note - Chrome warns settingcontent-ms is a potentially dangerous file type if you download one (haven't tried other browsers yet.)

Stupid Win10

All those wankers claiming Win10 is inherently safer than Win7 because it is "new" and "supported".

Fucking idiots the lot of them.

Just try to imagine all of the new code in Win10 and the as-yet undiscovered exploits, just like this one.

Code gets stronger/better/safer over time, which is almost the exact opposite of physical goods.

Re:Stupid Win10

Like that 10 year old code in your router that is running a Russian botnet?

Re:Stupid Win10

[AHuxley]

But its free from MS for the user.

Re: Stupid Win10

But Windows 7 has newer updates than that.

And my router does too.

Re:Stupid Win10

But its free from MS for the user.

No it's not.

Re:Stupid Win10

[LordWabbit2]

Code gets stronger/better/safer over time

No it doesn't, it ends up full of kludges and hacks and at some point needs to be rewritten to make it stable again. Sure the new code will contain new bugs, but anything more complex than "Hello World" probably has a bug somewhere. If you want to stick with windows 7 then go for it, when the newer version of xyz software no longer runs on it you will be forced to upgrade - whether you like it or not.

I am sure there are PC's sitting in some back room somewhere that still run DOS, still do what they are needed to do and are therefore not replaced. I've come across OS2 Warp PC's and that OS died before I even started working as a programmer. There is a Windows NT4 box sitting at the reserve bank (in my country, not the US) that is quietly doing it's job, it's not exposed to the internet and they leave it alone. There was an attempt to upgrade it, but the software that runs on it only runs on NT4 (for some reason, I was not part of the upgrade so I have no idea what the problem was) and the company that wrote it no longer exists, so they put NT4 back on and left it.

Re:Stupid Win10

[LordWabbit2]

Other than my original payment to MS for a license (and then upgrading to Enterprise because I wanted to play with VM's) I have not paid a cent more. So why do you say it's not free?

Re:Stupid Win10

"If you want to stick with windows 7 then go for it, when the newer version of xyz software no longer runs on it you will be forced to upgrade - whether you like it or not."

Like what, the Windows Solitaire program?

That's a cunt of an attitude to take mate.

Anyway, once Win7 is dead in the water all my stuff (and my client's) will be on Linux. Everyone knows Win10 is a pile of shit.

Re:Stupid Win10

I've already moved many of my computers to Linux. I have one Windows 7 for games and one Windows only application, and one Windows 10 for games on my Ryzen computer. Both of those dual boot to Linux, and I game on Linux when a version is available. The rest only run Linux. I can honestly say that moving away from Windows, MS Office, and some other commercial applications to open source alternatives has been very pleasant. I enjoy using my computer more, and I find that Linux and LibreOffice just run better for my needs.

I can't move all my clients to Linux due to their reliance on Windows only applications, and the companies investment in Windows. However, it does cause me to appreciate open source even more whenever I deal with Windows 10 update problem, or activation for a paid operating system or application breaks. I find it ridiculous how paying customers have to jump through hoops just to get their software to work, and how often that system seems to break.

WTF? Lie some more why don't you!

You admit that your solution is ineffective on its own - by UNIDENTIFIABLE Anonymous STALKER of APK

Where'd I say what YOU falsely accuse me of as you STALK ME by your "courageous" (not) full of "integrity" (not) UNIDENTIFIABLE anonymous posts?

Heuristics generate false positives - & I've proven ArcaVir, Baidu, CA, ClamAV, Comodo, Crowdstrike, Emsisoft, McAfee, NOD32/ESET, Norton/Symantec, Qihoo, SentinelOne, Sophos & Trend WRONG on it (& Tavis Ormandy found SECURITY ISSUES in 'em).

* People from AV companies say hosts = good security.

Also - I never say I DON'T USE DNS. I do (sub 2% of the time & rest avoids DNS issues on 100 of my fav sites I spend most time @ hardcoded in hosts resolving FASTER vs. dns).

APK

P.S.=> I save more vs. 5 min it takes to haul in 1st data set + 2 min merge (small partial data) in blocking ads + speedup from local resolution (vs. DNS security issues, tracking, & slower resolution) vs. running my work... apk

Re:WTF? Lie some more why don't you!

Yesterday you claimed you'd never said that a host file was a "cure all". Today you object when I say that you admit that it's not effective on its own..

Which is it?

mvps and hpHosts both say that using host file alone is not enough. They are the suppliers of your 'security'.

Heuristics generate false positives

Can you read? Yes, I said so. So do your lists. Both are rare.

I never say I DON'T USE DNS.

How do hosts make you anonymous if you use DNS?

Which is it?

5 min

You take 5 minutes to save milliseconds? Let's say a your lookup is 10 ms faster (averaged over cached/not cached). I'd have to be making 30k lookups to break even. Even if there's no caching, and we call it a 50 ms delta, that's still 6k. Are you insane? Seriously? WTF?

This is laughable. I can't believe you're serious. No wonder you dodge questions and challenges so much.

APK. Spend 5 minutes to save milliseconds. Blacklist > whitelist. Uses DNS, but still claims is anonymous.

Re:Nothing "cures all"=what I say... apk

mvps provides one of your lists. Here's what they say about using a host file for security - "Simply using a HOSTS file is not a cure-all against all the dangers on the Internet". hpHosts say something similar.

If nothing 'cures all', then nothing is effective on its own. You admit, just as your sources do, that you need something more.
And I contend that if you're already using other things, then there's very little utility in adding the overhead of your solution.

I'm not 'twisting' anything. All you do is hurl the things you've been accused of back in a childish tantrum.

---

*laugh* you spend 99% of your time via a hostfile, which makes lookups 1%? Last post it was 2%

If you still use then DNS you aren't avoiding their logs. You may be reducing, but that's meaningless. 'Anonymous' is ungradeable. You can't be 'mostly anonymous', just like you can't be 'slightly pregnant'.

If you've added 100 sites to your list, how is that more of a 'nightmare' than whitelisting via a browser extension? It's the same thing. Only the add-on does more and is easier to use. Double standard. Hypocrisy.

*laugh* maintenance is 2 minutes now? It was 5 minutes just a post ago?

Faster resolution? Sure, you can save milliseconds if you're prepared to spend minutes. Hooray!

You're a crank.

APK. Save milliseconds by spending 2-5 minutes each day! Almost, but not quite, anonymous! Ineffective on its own!

They say same as I do

I too say hosts don't cure all & so do they (NOTHING does - hosts just do more vs. any other method for far less & natively + faster).

* When I call out to DNS, then dns requestlogs = aware of me - HOWEVER:

Using hosts, I bypass DNS for 99% of my queries (as weill most people - it's like T.V. - we all have favorite channels we like where you spend most time @ online (& I get you there FASTER bypassing DNS too + making you safer vs. its security flaws OR being down)).

(I'll take ms (I didn't have in my favor before hosts' use) that add up in a dragrace too that also secures you vs. tracking + does it faster than remote dns does, safer vs. it's security flaws)

APK

P.S.=> You think & act like you snort crank & smoke it for breakfast lunch + dinner (lol) 24x7... apk

Re:Block script & malicious site sources

(remove spaces between characters & download)

The hallmark of spammers the world over.

Re:Registered /.ers review of the Win64 model

Oh yeah, it's so bloody good and enjoys such a fine reputation that you have to triple-post double spams with "remove spaces to download" lamer spammer tricks trying to get past filters... and they all get modded down to -1 almost instantly anyhow.

ROFLMAO. What a loser.

Block script & malicious site sources

See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux!

Better vs. Windows model in speed/efficiency/merge.

APK

P.S.=> See subject: Block malscript & malicious site sources used to infest you via the best ad/threat blocker there is bar-none above... apk

Registered /.ers review of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Best part's Linux 64-bit model's faster/more efficient (2x the work in 1/2 the time)

APK

P.S.=> For a faster/safer/more reliable internet... apk

See post parent to yours you replied to troll

See subject Mr. ADVERTISER/MalwareMaker/Inferior competitor: Registered /.ers disagree w/ you unidentifiable anonymous stalker of me!

* Funny how those "downmods" only come the NEXT DAY when you via your MULTIPLE SOCKPUPPET alternate accounts you use to farm "downmodpoints" get more of them the next day (to NO avail - I simply repost eventually/inevitably RUNNING YOU DRY of them, lol - outthinking/outsmarting AND JUST PLAIN "OUTING" you as I have now).

APK

P.S.=> You're powerless vs. me - accept it & give up already, lol - but I certainly have POWER over YOU: FEAR! You fear to face me directly via your main sockpuppet account (as I've probably DUSTED you in tech debate beneath it & your other sockpuppets 1 by 1 over time)... apk

Nothing "cures all"=what I say... apk

Learn 2 read https://tech.slashdot.org/comm... twisted 2 "not effective on its own" by U unidentfiable anonymous lunatic liar (see subject & LMAO).

100's of botnets & other threats I've shown hosts NULLIFY prove it!

* I avoid DNS request logs is HOW dumbo hosts help anonymity (99% of the time approximately on 100 favorite sites I spend most time @ avoiding redirect poisoning & down DNS too + RESOLVE FASTER LOCALLY!) - a reverse DNS proxy might nullify that but rare.

HOW DO I KNOW I WON (don't have to try, you defeat yourself for me, lol)?

YOU TRIED "DOWNMOD HIDING" THIS VERY SAME POST https://tech.slashdot.org/comm...

APK

P.S.=> 2 minutes per day updates = SMALL PRICE TO PAY vs. INFECTION REMOVAL TIME (which I can't touch sources of so I don't go thru that) + gaining faster local resolution speed (vs. remote DNS slow roundtrip) & more speed ad & script blocking... apk

No surprise, iIt's from MS

Nelson contacted Microsoft, but the OS maker did not consider this a vulnerability in the OS.

Thanks a lot, Microsoft.

Re:Why Did BSD Die?

Take a pill. Sheesh. You seem drunk or stoned or something. Definitely incoherent.

Re:Why Did BSD Die?

I went out to *BSD's grave on Decoration Day. The old forgotten cemetery is by the dark woods beyond the edge of town. There within olfactory distance of the municipal treatment plant you will find *BSD's final resting place.

*BSD's tombstone was shrouded by thick mosses and knots of noxious ivy. I gently pulled aside the tangled twists of thorns, and cleaned the decaying marker the best I could. My melancholy thoughts pondered that this indeed was *BSD's figurative charnel house of which so many have plaintively spoken.

Nothing is so pitiful as an untended grave, a loved one now forgotten. The short sad life of this doomed and fated OS makes us realize that there but for the grace of God go all of us.

I planted some wilting marigolds which I had found discarded behind Bud's Garden Center. By some miracle perhaps they will take root and bring a modicum of cheer to BSD's God forsaken plot. My fervent hope is that the torpid colored boy who carelessly mows the cemetery doesn't slice them down, inadvertently mirroring *BSD's own doomed encounter with death's irresistible scythe.

Funny how things work out. Linux, that brilliant novam stellam, now runs the Internet andthe world's fastest computers, while *BSD lies moldering within its forgotten crypt. Let the barren silence of *BSD's tomb be a mute reminder that hubris and braggadocio were no defense on that woeful day when the Angel of Death's bleak umbra was cast upon *BSD.

LOL! MOMMY HELP ME (golden wine)... apk

Hohohohoho see the CLASSIC proof of that here soyboys as you DRINK the golden wine https://tech.slashdot.org/comm... straight from MY tap (of GOLDEN piss), all natural ingredients, naturally filtered (of ME pissing right into your shitbag mouths & funniest part is, you help me DO it - you LIKE it, lol!).

Do you LIKE the taste? Obviously yes - just like folks like my hosts engine, anything I put out, even piss, is GOOD (unlike "your kind").

Above all else though? Hey - MOMMY LOVES YOU!

APK

P.S.=> Hahahahaha (I think this is the BEST overall letting you SHEMALE soyboys destroy yourselves for GOLD (ask SuckerBERG about that - he's the expert as is all his kind are - heading into ZylonB & Furnace time again judging by what's happening - the PRICE of it is that, always, they don't learn)... apk

u FEAR ME hiding behind ac posts

Obviously U FEAR me hiding by UNIDENTIFIABLE anonymous you HARASS me w/ FAILING hosts vs. whitelist https://news.slashdot.org/comm...

You STALK ME by UNIDENTIFIABLE anonymous & LOSE vs. me EVERYTIME (see link above).

What GIVES AWAY you know you lost? 2 things:

HIDING my parent post (came RIGHT after link above & you "downmod hid it" - but unlike MOST ac's I have NO POST LIMIT & RUN YOU DRY of your limited # of "downmodpoints" you ABUSE & I repost).

You give it away MORE you got NUKED by me as you do FLURRIES of posts to try "forums slide" BURY you got your ass kicked - you must be sadomasochists! APK

P.S.=> & MULTIPLE personalities? YOU losers do SOCKPUPPETS galore OR FAKE NAMES for your FAKE LIES of WASTED lives - proof?? Look @ Zontar's "TrollingForHostsFiles" https://slashdot.org/comments.... to HARASS & STALK me (I dusted him in BOTH guises FAKE NAME & sockpuppet)... apk

Dear "help me mommy" SoyBoy, lol... apk

See subject & my ps (classic, lol): There's REALITY https://yro.slashdot.org/comme... that works vs. SOYboy addled by estogen mimickers in SOYMilk (lol, that you're addicted to) "Phantasy" - lol!

I see your estrogen is LOW - lol, don't worry: Make SURE you put your soymilk in bisphenol A plastic containers (You'll get a "good dose" then - you need it (Cravings to be a woman, you sure act like one you do-nothing "ne'er-do-well", lol)).

Eventually, you'll get SO bad you'll inject it like Bruce Willis in LOOPER (you are 'loopy' lol) from Year 6 -> Year 23 (LMAO).

* RoTfLmAo... you want to get rid of me/kill me? For once you're doing a GOOD job making me laugh myself to death!

Ah, it's good to see I've BLOWN you away w/ truth & fact & YOU ARE OUT OF DOWNMODPOINTS evidently (your kind? Can't EVER win vs. guys like me - accept it - your destiny in this LIFE was to be the LOSER almost WOMAN you are, lol).

APK

P.S.=> Hahahahaha "HELP ME MOMMY" lmao (apk's outsmarted us AGAIN & ran us DRY of our ABUSED "downmodpoints" lol) https://tech.slashdot.org/comm... ... apk