Tricky Simlink Race Malware Hits Dozens Of Antivirus Programs, Only Some Are Patched

Security researchers have discovered a way to thwart almost every antivirus program using a "unique but simple method" involving directly junctions and symlinks. Antivirus software that falls prey to this kind of attack essentially attack themselves by deleting files critical to the program's operation, leaving users vulnerable.

According to the researchers, this method works because of a fundamental flaw in how antivirus software performs real-time scans of unknown files. Almost all of them run in a privileged state, or the highest level of authority on an operating system.

"What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after," RACK911 explains in a blog post.

"A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc," RACK911 continues.

A directory junction is only found in Windows and can only link two directories together—it can't link files, and the directories have to be local to the file system. Any user can perform a directory junction without admin privileges. Likewise, a simlink (or simbolic link) is just a shortcut to another file, and is commonly used within Linux and macOS by an unprivileged user.

What the researchers essentially discovered is that they can link a malicious file to a clean file. When an antivirus program scans a file and determines it's malicious, there is a short window to replace the malicious file with the clean one before it gets deleted. Doing so causes the antivirus program to delete the clean file instead of the malicious one.

It's sort of like a bait-and-switch, or a slight-of-hand, if you will. Dr. Vesselin Bontchev, a member of the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, told ZDNet the vulnerability outlined is called a "simlink race" and that it's been around for a long time.

Security researchers at RACK911 developed proof of concepts to show the trickery in action, on both Windows and macOS. Here is on Windows...

And here it is on macOS...

"Make no mistake about it, exploiting these flaws were pretty trivial and seasoned malware authors will have no problem weaponizing the tactics outlined in this blog post. The hardest part will be figuring out when to perform the directory junction or symlink as timing is everything; One second too early or one second too late and the exploit will not work," RACK911 says.

So, is your antivirus program affected? Probably not, but maybe. How's that for a vague answer? Here's the problem—the security researchers listed dozens of antivirus software that this trick worked on, including Avast, Avira, BitDefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Sophos, Webroot, and others.

Since going public with its findings, the company says "almost every antivirus vendor" listed in its blog post (linked in the Via field below) has been patched to protect against this type of attack, "with the exception of a few."

RACK911 reckons the unpatched ones will be fixed soon as well, but did not say which specific programs are still affected. Some antivirus vendors have announced related patches, though, including AVG, F-Secure, McAfee, and Symantec.

Bottom line is this—make sure to keep your antivirus software fully updated.