New attacks use Mark of the Web (MoTW) Windows security feature bypass zero-day to drop malware

By Lawrence Abrams @LawrenceAbrams - November 19, 2022

 

I find it entertaining that people will say UAC isn't a security feature but a MoTW tag is supposed to be? They are a complete joke. They are just an ADS tag that only exists on a NTFS partition. If a bad guy could find any other file system on your device and download to that then there would never be a tag to begin with. If they could script a removal of all of the tags (not too hard) that also makes them not matter. I think Microsoft weighs these too heavily.

 

What I don't understand is why nobody is mentioning if these malware samples get blocked by Win Defender or not. This is all that matters, I don't really care about MS Smartscreen.

 

WD cloud scanning is also dependent upon MotW. When a file is downloaded and if MotW is missing, no cloud scanning is performed. This leaves WD sig. protection as the only malware detection method. Therefore, the answer to your question is maybe. WD could detect the malware, but only if it has a sig. for it.

 

OK, now this would make it a problem and another M$ blunder. Also, it's another reason to never trust solely on Win Defender.

 

I am of the understanding that it does not block them, and a lot of my complaint is that they are more likely to block something based entirely on the MoTW tag than actually evaluating the file.

 

If this was true, it would be dumb as hell. But that's why I also don't care about MS SmartScreen, it's simply a dumb whitelist who also flags less known but clean files.

 

In many cases you can remove the mark and a file that was previously blocked will run.

 

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection
By Ravie Lakshmanan - December 27, 2022

Kaspersky: BlueNoroff introduces new methods bypassing MoTW

 

I hate to sound like a broken record but if there is ANY security software that gives a free pass to a file just because there is no MoTW then you need to replace that with any security product that doesn't care if the file is tagged or not. I am dumbfounded that this is even a thing. Any new unknown file written to the file system needs to be examined. Just hoping that SmartScreen will catch it if it is tagged is asking for it.

 

I think the MOTW bypass in the Kaspersky link refers to use of .iso and .vhd container file formats to elude MOTW. This is probably where users should not execute these container files, or they should block them outright. IOW, using additional security utilities beyond that of only AV and smartscreen is prudent.

I'm guessing a tool such as OSArmor could help in blocking the techniques used in the Kaspersky writeup.

 

Yes exactly, if a MoTW bypass will result in WD not scanning a file, then this should be reason enough to stop using WD. Besides WD's ridiculous ''exclusion bypass'' trick. BTW, this bug is similar to the latest Gatekeeper bypass on macOS, but I haven't got a clue if this will also bypass XProtect, which is the macOS built-in AV.

https://www.wilderssecurity.com/thr...behind-gatekeeper-bypass.442956/#post-3122571

 

Windows and the "Mark of the Web" (MotW) security problem
by guenni - January 9, 2023

 

Perhaps I have overlooked it, but I do think it's weird that in these articles it's not clearly mentioned if this MotW bug will also cause WD to be bypassed automatically?

 

I still don't feel this is a bug. It should never be a security boundary in the first place. If someone can get into your PC to begin with it is too easy to manipulate them.
GitHub - nmantani/PS-MOTW: PS-MOTW: PowerShell scripts to set / show / remove MOTW (Mark of the Web)

 

Well, it is a pretty big bug if Win Defender relies on MotW in order to assess whether some file is malware or not, know what I mean? I personally don't care about MS Smartscreen though.

 

If we are to consider it a bug, I would call it a bug with Defender (or any 3rd party software that does the same) rather than a MotW bug. Mostly it's just a bad design decision.

 

That's exactly what I'm so confused about. Does this thing cause WD to be bypassed or not? According to Itman, WD will most likely not scan these files with the cloud. Which would be pretty ridiculous if it's true. But this stuff isn't clearly mentioned in any of these articles.

 

WD would be making its own choice here. What they should be doing is working on a system where known good files are tagged to be excluded from future scans and everything else should be checked regardless of a MotW tag.

 

I still use https://www.thewindowsclub.com/phrozen-ads-revealer-windows Ads Revealer/Remover.
There is also a Context Menu version that makes detecting & removal of the streams a breeze.

 

Looks like a handy tool.

Reading that page again reminds us the MotW tags only exist on local NTFS drives. FAT/FAT32/exFAT/network drives will never have them in the first place. Security vendors need to stop using them as an excuse.

 

Couldn't agree on that more @xxJackxx - Appropriate assessment/comclusion.

 

I don’t mind that much if a security software uses MotW as way to enhance a little their detection capabilities.

However the key point is enhance and not simply rely exclusively on it for their much more in-depth detections.

 

Yes exactly. But to be honest, in none of the articles it was mentioned that Win Defender will automatically be bypassed just because MoTW wasn't applied to the downloaded files. So I wonder just how serious this bug truly is.

I mean, most people will ignore MS Smartscreen anyway if they really want to install some app. And I sure as hell never cared about the annoying MoTW security warning, that you get to see with some .exe files and most .js files, in fact I always turn this off.

I believe ADS is not related to MoTW?

 

MotW is ADS. It is why they only exist on NTFS.