Someone trying out Windows 8 release preview brought her machine to me to look at. She was having trouble with an email attachment. The email was in fact carrying a virus, one that purported to be from booking.com though it had nothing to do with that company. The supposed booking is in an attached zip file which the victim is invited to open. My contact had opened the zip and attempted to run the contents, a windows executable. She could not remember exactly what happened but said that a dialog had appeared and she clicked OK.
Clicking OK is normally the wrong thing to do with a virus but not in this case. I had a look at the virus and uploaded it to Comodo’s online virus analyser.
This detected API calls that copy a file to the All Users folder and sets it to autorun. Comodo pronounced the executable “Suspicious+”.
But did it run? I tried it on an isolated virtual instance of Windows 8 Release Preview. Running the executable throws up this dialog:
If you click OK nothing happens. If you click More Info, it says that SmartScreen does not recognise the file and offers a Run Anyway option. However the user in this case did not click More info, but instinctively clicked OK, therefore not running the virus.
As a final experiment, I tried running the virus on the isolated machine. It deleted itself but did not seem to succeed in infecting the machine. It is hard to be sure though, so the virtual machine has now been deleted.
Windows 8 did not detect the file as a virus. SmartScreen merely did not recognise the file. It would do the same for any unrecognised file, and I have seen this dialog appear for files that I do want to run.
Even when I ran the file, Windows Defender did not (as far as I can tell) detect the virus. The test machine was offline (for isolation) but fully up to date.
What interests me most is how SmartScreen interacts with the social engineering behind the malware. The user actually wanted to run the file, being convinced that it was genuine, but clicking OK simply did nothing. This behaviour is annoying if the application is not in fact malware, but clearly it can on occasion save the day.