Windows Ransomware Protection Can Be Hacked Easily

Microsoft has recenty added a feature, known as Controlled Folder Access. The feature has been used in order to stop modifications of files that are residing in protected folders that cannot be accessed by unknown programs. Unfortunately that feature has been bypassed by a simple registry value created y the researchers Soya Aoyama a security specialist at Fujitsu System Integration Laboratories Ltd.

Related: Windows 10 Anniversary Update With Ransomware Protection

How the Bypass of Controlled Folder Access Happens

The researcher has demonstrated an attack via a malicious DLL injections into Windows Explorer. Since Explorer is in the trusted services of Windows, when the DLL is injected in it, it will run a a script that bypasses the feature for ransomware protection of Windows.

This can be achieved by attacking Windows “where it hurts most” – the Windows Registry Editor. When started, th DLLs are loaded under a random sub-key, located in the following sub-key:

→ HKEY_CLASSES_ROOT*shellexContextMenuHandlers

This leads to several different outcomes, he main of which are the registry key that is created replicates itself to HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT trees. When Windows Explorer is executed, it begins to load Shell.dll from the following registry sub-key:

→ HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449}InProcServer32

Shortly after this happens, the malicious DLL is loaded into explorer.exe and the researcher simply set the default value of the DLL to 0.

What follows is that Windows Explorer (explorer.exe) is shut down and restarted with the malicious DLL being executed in it. This results in the complete bypassing of the Controlled Folder Access feature.

Not only the DLL did bypass Windows Defender, but it also bypassed big antivirus products, like:

  • Avast.
  • ESET.
  • Malwarebytes Premium.
  • McAfee.

So the bottom line is that the researcher took advantage of the applications that have permissions over the Controlled Folder Access feature and (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Vencislav Krustev. Read the original post at: