We at Phrozen Software recently came across two different ways of exploiting Microsoft Windows Shortcuts.
One of them was already known and used by some hackers in their phishing campaigns. The second was recently discovered by our Security Researcher. We wrote two articles about the subject (see here and here) and these were received very positively in the IT-world and were circulated widely on social media networks, especially Twitter.
Immediately after the release of our articles, we saw a significant increase in the use and spread of malicious applications that were exploiting Microsoft Windows Shortcuts.
Since we suspect that Microsoft will not apply a fix to this weakness in design in the near future, we have decided to create an application ourselves to detect and remove these malicious shortcuts.
Basically, this application works as a regular Antivirus Scanner: it will scan available attached storage Medias (Fixed Hard Drives and Removable Hard Drives) and lists all existing shortcuts.
For each and every shortcut our application will determine whether or not the shortcut is:
A shortcut is considered 'Broken' if the target application or target folder points to a non-existing location. A broken shortcut is not something we could consider harmful but worth to be removed since the shortcut itself become useless.
A shortcut is considered 'Suspicious' when it contain arguments.
Most shortcut with arguments could be completely legit, but you should consider taking a look and validate whether or not the shortcut is not calling suspicious applications or parameters. Be careful then when removing them after the scan.
Finally a shortcut is considered 'Dangerous' when multiple flags are triggered.
You should seriously consider removing shortcut flagged as dangerous. The more flags are triggered during the scan, the more dangerous the shortcut could be.
This method detected 100% of Malicious Shortcuts we used to test the application. It also was totally effective against recent malware and phishing campaigns.
(!) In a possible future version of this application we might add a pro-active protection to detect shortcuts when they are created and extracted from an archive. If you wish to see this feature added let us know, it will depend our workload and how many users this program will attract.