New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com)

Posted by EditorDavid on Saturday September 30, 2017 @04:54PM from the evasive-exploits dept.

An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."

8 of 74 comments (clear)

Min score:

Reason:

Sort:

Wastes bandwidth too... by green1 · 2017-09-30 17:00 · Score: 4, Insightful

Why send a file once when you can send it twice instead?
1. Re:Wastes bandwidth too... by michelcolman · 2017-09-30 19:31 · Score: 4, Insightful
  
  That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.
  Why download a file twice? Bandwidth is too cheap nowadays, I suppose?
2. Re:Wastes bandwidth too... by Njovich · 2017-09-30 19:42 · Score: 2
  
  SMB is basically either block level or streaming. It doesn't just copy the entire file over the network the moment you access it, unless your system requests all of the file. Depending on the server, connection and file request configuration, the received data can usually be cached. You don't want it to always cache, because sometimes you may actually need updates in data. I would hazard a guess and say that the exploit relies on a situation where caching is off.
  Then you get the following issue: defender cannot use the calls the executable makes for reading the file, because it needs to scan the whole file at once, so it just requests the whole file. However, the executable will make it's own read calls, so the only way to reuse the data is using the aforementioned caching. Which needs to be off in some situations.
  It doesn't typically get sent twice, and there is also not an easy fix without breaking lots of people.
3. Re:Wastes bandwidth too... by tlhIngan · 2017-09-30 21:26 · Score: 4, Insightful
  
  That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.
  Why download a file twice? Bandwidth is too cheap nowadays, I suppose?
  Your way makes perfect sense... if you believe a security product is integrated into the OS itself.
  However, Microsoft is under different rules, and Windows Defender must be disable-able in case the user decides they want to use a different security software product. Otherwise imagine the hell Kaspersky, Symantec, etc. will raise. Heck, Windows 10 updates that disable those products until updated already spurred lawsuits.
  SO Windows Defender must be able to act like any other program would, and in this case, when you want to open a file, the kernel hook fires and Windows Defender scans the file first before letting Windows open the file.
  About the only way around this would be to have the PE Loader be hookable so Windows Defender and other software can scan the file image after loading into memory but prior to execution. Assuming that's possible, given how the PE Loader might not actually read the entire file at once into memory, but instead just skip about when reading. In this case perhaps the hook might be near the very end before it jumps.
4. Re:Wastes bandwidth too... by KiloByte · 2017-09-30 22:35 · Score: 4, Informative
  
  Windows does have an equivalent of ptrace, so how exactly is this a problem? You hook onto the process that's being created (on Windows there's no separation between fork and exec) having it start as traced. It gets mmapped, you check whatever got loaded into that process' address space, detach the trace.
  It'd also have double the performance when the file fits into memory: no need to request the file over network twice. And if it doesn't fit, well, page cache is perfectly equipped to deal with this.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Re:Not a big deal by StormReaver · 2017-09-30 22:15 · Score: 2

Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.
That made me laugh. Most Windows users will answer yes to just about any question that stands between them and any malicious program they are trying to run.
This flaw is critical, and Microsoft's response shows how little it still cares about security.
Windows Defender has a bug because... by zifn4b · 2017-09-30 23:11 · Score: 4, Insightful

For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control.

Ticket Description: Windows Defender is vulnerable to human stupidity
Acceptance Criteria: Show that humans are no longer stupid
Priority: High

Chop chop developers!

--
We'll make great pets
Low threat profile. by CptLoRes · 2017-09-30 23:41 · Score: 2

The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.
This sounds more like a problem with an inside job from an disgruntled worker then a realistic threat.