Thursday , 21 June 2018
Home >> O >> Operating Systems >> Cybercrime group abuses Windows app compatibility feature

Cybercrime group abuses Windows app compatibility feature

When Microsoft made it possible for enterprises to quickly resolve incompatibilities between their applications and new Windows versions, it didn’t intend to help malware authors as well. Yet, this feature is now abused by cybercriminals for stealthy and persistent malware infections.

The Windows Application Compatibility Infrastructure allows companies and application developers to create patches, known as shims. These consist of libraries that sit between applications and the OS and rewrite API calls and other attributes so that those programs can run well on newer versions of Windows.

Shims are temporary fixes that can make older programs work even if Microsoft changes how Windows does certain things under the hood. They can be deployed to computers through Group Policy and are loaded when the target applications start.

Shims are described in special database files called SDBs that get registered on the OS and tell Windows when they should be executed. Security researchers have warned that this functionality can be abused to inject malicious code into other processes and achieve persistence, and it seems the attackers were listening.

close
==[ Click Here 1X ] [ Close ]==