Security News New "Illusion Gap" Attack Bypasses Windows Defender Scans

Transhumana

Level 6
Thread author
Verified
Well-known
Jul 6, 2017
271
Security researchers from CyberArk have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems.

The technique — nicknamed Illusion Gap — relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution.

For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.
How Illusion Gap works
The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it.

SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.

The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things.

IllusionGap-steps.png


Microsoft does not view this as a security issue
CyberArk says it notified Microsoft but the company did not view it as a security issue. Researchers included the Microsoft reply in their Illusion Gap paper.

Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn't seem to be a security issue but a feature request which I have forwarded to the engineering group.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.

Basic mitigation advice
"It’s Windows Defenders job to scan and find malicious files – this vulnerability allows malicious files to bypass it, so it’s not doing its job," Kobi Ben Naim, Senior Director of Cyber Research at CyberArk, told Bleeping Computer via email.

"Other than installing additional AV or endpoint scanning software along with Windows Defender, there isn’t much an organization can do to mitigate this specific vulnerability," Naim added.

"The best recommendation is for organizations to not rely solely on endpoint scanning and AV, and to implement proactive security measures that assumes malware will get past the perimeter," the expert also said.

"We strongly believe that organizations should implement a combination of least privilege and application control policies on endpoints and servers throughout the organization. This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications are potentially suspicious and protects information accordingly.

"While Microsoft is a great software vendor, people need to understand that while free Microsoft products have a value of their own, it’s not a replacement to security. Microsoft makes great products, but they’re not a security vendor. Security-conscious organizations need to take this into account when using any product."

Other AVs might be affected
Naim also believes that the Windows Defender bypass which the CyberArk team discovered will see some usage in the future.

"Like every new attack vector, the first to exploit it will likely be high-end, sophisticated attackers (APTs)," Naim told Bleeping. "Once an attack method like this is used by these advanced groups, you typically see all other attackers follow shortly thereafter."

CyberArk researchers also warn that other antivirus solutions might also be vulnerable to the Illusion Gap attack, but that his company has not carried out additional tests.

Because this research was provided under embargo to Bleeping Computer before publication, we also could not reach out to other vendors and inquire about the vulnerability. Any information about other AV vendors vulnerable to Illusion Gap attacks will be added to this post.

CyberArk researchers also provided YouTube videos demonstrating how the Illusion Gap attack works. Illusion Gap technical details are available here.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
APT:

Advanced: it means that the criminal can operate using common, publicly available, systems of exploitation of known vulnerabilities by raising the level of the “game” and by researching new vulnerabilities and developing exploits.

Persistent: this means that the attacker is formally tasked to accomplish a mission: this is not a random intrusion. Persistent does not mean that it is necessary to continue the execution of malicious code on the victim's computer, rather it has the meaning of maintaining an active presence for the time necessary to complete the task.

Threat: it means that the malware is not a simple fragment of “code”. This step is critical: you do not have to confuse, in this context, the term "threat" with “malware”. The malware, however sophisticated might make you think of something less disturbing, on the contrary, in this case the malware is a threat because it is organized, funded and motivated.

If we just think of Ccleaner incident, then we can achieve what APT could do and what we can do against it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top