Windows Bind Link Attacks Can Hide Malware From EDR Tools
Security researchers at Bitdefender have demonstrated three attack techniques in which Windows’ bind links can be used to evade endpoint detection and response (EDR) products.
Bind links are a legitimate Windows feature implemented by bindflt.sys and used by Store apps, Windows Sandbox, and Windows containers. They are a kernel-level redirection mechanism creating a virtual path that transparently maps onto the real backing path.
However, if the bind link is altered so the backing path points to a file controlled by an attacker, then that file is accessed effectively invisibly. Under certain circumstances, this could lead to loading hidden malware while all the system sees is a visible link pointing at a known innocuous file.
For example, report the researchers, if the backing path is, “Pointed at a DLL, it becomes file-binding: a process loads an attacker’s file from a path it trusts.”
The security problem arises because defenses are heavily...
Copyright of this story solely belongs to securityweek.com. To see the full text click HERE