Using Jumplists as an autostart mechanism is possible, but requires users to actually use this feature for this persistence trick to be successful. There is obviously a better way of persuading users to execute stuff and that is by manipulating the pinned applications themselves.

Microsoft doesn’t document the interface used by the Pinned Apps, but others do. Windows folks do it on purpose – pretty much any exposed element of GUI has been abused in the past in many ways so protecting the taskbar and pinned apps is definitely in the user’s best interest. Still, there are already documented ways to modify the Pinned Apps list – one can use a script published by Microsoft itself on the MSDN blog back in 2009; there also seems to be a way of modifying the list of pinned apps during the DASH process by modifying the entries under the following key:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn

To test the idea, I wrote a small test app that ‘talks’ to Pinned Apps directly and swaps the pinned app’s target executable path to one that is potentially malicious. The program enumerates the pinned apps, checks if the link points to internet explorer and then replaces the pinned app with one that points to c:\test\malware.exe. The ‘malware.exe’ is actually a copy of ‘iexplore.exe’ (I was too lazy to create my own test app with the icon identical to Internet Explorer’s).

The path change can be confirmed by checking the properties of the first pinned application on the Taskbar:

The list of links for all pinned apps before and after the modification are shown below (pinenum.exe is a small tool that enumerates all pinned apps):

 For obvious reasons, I won’t release the code publicly.

If you want the pinenum.exe tool go to this post.

The last two posts in the series covered autorun mechanisms that could be called a ‘side-effect’. Today a slightly different topic – one that relies on the social engineering of users, and a very old concept of a companion virus. The idea described below is not a typical autostart mechanism and is actually a description of an existing, legitimate functionality, but as long as users are using jumplists frequently it may be actually acting quite successfully as a persistence mechanism. It may also be a secondary option for malware disabled by an antivirus software/user from the typical autorun entries. Nothing new here and it’s the topic covered by lot of other blogs, but since I am trying to document all possible persistence mechanisms, it’s worth mentioning it for the completeness.

Jumplists that have been introduced in Windows 7 are used to organize recently opened files, favorite files, folders, and websites. They offer more options that shortcut files and this flexibility can be easily abused. I will show you one simple example of such abuse, done manually; there are a lot of other options of course and they can be obviously automated using exposed Jumplist interface.

To test it, you may want to download JumpList Editor – it’s a handy tool that allows one to edit Jumplists present on the system.

Here, I am using it to add a fake entry under Internet Explorer:

• First, we select existing entry for Internet Explorer:

• Now we add a Link entry:

• We can call it e.g. “My Bank Web Site”; in real-world scenario, malware could re-use existing entry and replace it (hence, companion virus reference)

• Once we click Save, we can observe the entry added to the Internet Explorer Jump list

• Clicking the icon launches the Calculator

There are other interesting options out there. For example, one can add a Multiple Link – this will create a link that launches two applications at the same time. Therefore, one could swap existing link to an application to a Multiple Link that would launch both of them simultaneously.

Despite looking like a link to the Notepad Double Trouble launches both preprogrammed applications at the same time (when clicked): Notepad and Calculator. Quite a nice way to hide in a plain sight.

It’s easy to notice that the links we have added are all located under ‘Tasks’ entries; This may not be ideal and a savvy user may notice something ‘funny’, but how many people really pay attention to such small details? Besides, this is the only option offered for an easy manipulation by the JumplistEditor. In reality, pretty much any aspect of the JumpLists can be abused – either by using documented APIs, or by manually modifying the actual Jumplist or Shortcut LNK files. One could replace legitimate tasks like ‘Start InPrivate Browsing’, ‘Open new Tab’, etc.