RACK911 Labs’ method uses directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools. A directory junction can only link two directories together; It cannot link files and the directories must be local to the file system. Directory junctions does not require administrator privileges making it more vulnerable. A symlink s basically a file that points to another file. It’s more commonly used within Linux and macOS where any unprivileged user can perform them.
Directory Junctions & Symlinks
RACK911 Labs claims that, during the testing across Windows, macOS, and Linux, they were able to delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS. The company also stated that they primarily focused on self-destructive behavior with these exploits. According to the statement, the hardest part will be figuring out when to perform the directory junction or symlink as timing is everything, one second too early or one second too late and the exploit will not work. RACK911 also posted a list of the affected software, which includes most of the antivirus software.