Slashdot Mirror

← Back to Stories (view on slashdot.org)

New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com)

Posted by EditorDavid on from the evasive-exploits dept.

An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."

5 of 74 comments (clear)

  1. Wastes bandwidth too... by green1 · · Score: 4, Insightful

    Why send a file once when you can send it twice instead?

    1. Re:Wastes bandwidth too... by michelcolman · · Score: 4, Insightful

      That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.

      Why download a file twice? Bandwidth is too cheap nowadays, I suppose?

    2. Re:Wastes bandwidth too... by tlhIngan · · Score: 4, Insightful

      That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.

      Why download a file twice? Bandwidth is too cheap nowadays, I suppose?

      Your way makes perfect sense... if you believe a security product is integrated into the OS itself.

      However, Microsoft is under different rules, and Windows Defender must be disable-able in case the user decides they want to use a different security software product. Otherwise imagine the hell Kaspersky, Symantec, etc. will raise. Heck, Windows 10 updates that disable those products until updated already spurred lawsuits.

      SO Windows Defender must be able to act like any other program would, and in this case, when you want to open a file, the kernel hook fires and Windows Defender scans the file first before letting Windows open the file.

      About the only way around this would be to have the PE Loader be hookable so Windows Defender and other software can scan the file image after loading into memory but prior to execution. Assuming that's possible, given how the PE Loader might not actually read the entire file at once into memory, but instead just skip about when reading. In this case perhaps the hook might be near the very end before it jumps.

  2. Feature Request by Anonymous Coward · · Score: 0, Insightful

    Good to see that MS is patriotically working the US government to implement NSA requests

  3. Windows Defender has a bug because... by zifn4b · · Score: 4, Insightful

    For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control.

    Ticket Description: Windows Defender is vulnerable to human stupidity
    Acceptance Criteria: Show that humans are no longer stupid
    Priority: High

    Chop chop developers!

    --
    We'll make great pets