this post was submitted on 25 Aug 2024
98 points (97.1% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54476 readers
286 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 2 months ago* (last edited 2 months ago)

It depends on the attack vector. Typically you're right, but malicious .lnk files are often paired with other malicious methods to infect machines. Sometimes they're configured as a worm that copies and spreads when a flash drive is connected, sometimes they're configured to download a remote payload when another script or program is started. The problem is that it's a type of file that's often overlooked because it seems innocent.

It isn't necessarily the case that the Trojan needs to be interacted with by the user in order to execute the malicious code. Just having the file on your machine opens the door for all kinds of attacks (especially if you're using a headless setup: you wouldn't necessarily know you have the .lnk file in the system unless you're manually unpacking your downloads yourself). All it needs is for another piece of infected code to run and look for that file, and it can open the door for more traditional malicious code.


Edit: just as a for-instance - If I was a black hat and wanted to spread some malicious code, I could include this .lnk file in a torrent (innocuous enough to slip by unnoticed by most people/unscrupulous pirates), and then maybe place a line of code in a jellyfin plugin or script that looks for that file and executes it if it's found. Because the attack isn't buried in the plugin or script itself (most people wouldn't think much of a line of code that's simply pointing to temp file already on your system), it could theoretically go unnoticed for long enough to catch a few hundred or thousand machines.