Malicious Symbolic Links: Part 1 The Concept
This can be achieved because the symbolic links can call the command line (cmd.exe) without any limitation to the parameters that will be provided.
Figure 1 - The execution process of the symbolic link
The batch file gets executed with no problem and generates the vbs (visual basic scripting) malware downloader which finally delivers the malware to the compromised computer.
But lets take a closer look in the malicious symbolic link first.
Figure 2.1 - The properties of the symbolic link
Figure 2.2 - The properties of the symbolic link
%windir%\system32\cmd.exe /c copy note.txt.lnk %tmp%\poc.bat & start %tmp%\poc.bat & exit
The "Start in" field needs to be clear so the command line will always start in the path where the symbolic link gets executed (figure 2.2), otherwise the file copy will fail.
Figure 3 - Symbolic link opened with notepad++
In this simple proof of concept (figure 3) the malicious symbolic link only downloads a text file from vipersec. The only disadvantage is that the malicious symbolic links generated in Windows 7 and above do not work in Windows XP and vice versa.
You can download the proof of concept to test it by yourself if you wish. Make sure that you unzip the files first. There are two versions:
Windows 7, 8, 10: Windows7plus_poc.zip
MD5: e3576ba6f18eb51fa475d737f40a5a4c
Windows XP: WindowsXP_poc.zip
MD5: 9b9b52b1c67ea687978d8f15c3f21abb
Continue to the 2nd part, feedback and comments are always welcomed.