Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Windows Bug Microsoft

New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com) 74

An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."

This discussion has been archived. No new comments can be posted.

New 'Illusion Gap' Attack Bypasses Windows Defender Scans

Comments Filter:
  • by green1 ( 322787 ) on Sunday October 01, 2017 @12:00AM (#55286387)

    Why send a file once when you can send it twice instead?

    • by Anonymous Coward

      this is what pisses me off the most.

      try doing it with a 500mb installer .exe, even over gigabit it takes FOREVER.

    • by Njovich ( 553857 )

      SMB is basically either block level or streaming. It doesn't just copy the entire file over the network the moment you access it, unless your system requests all of the file. Depending on the server, connection and file request configuration, the received data can usually be cached. You don't want it to always cache, because sometimes you may actually need updates in data. I would hazard a guess and say that the exploit relies on a situation where caching is off.
      Then you get the following issue: defender ca

  • by Anonymous Coward

    Everyone on windows needs to take this opportunity to transition to a systemd free version of Linux.

    • by Anonymous Coward

      Decided to give good old Slackware a try. It worked perfectly. I wasn't left with a crippled system either. Some Debian dickheads have decided to not include vital tools like traceroute or nslookup. Kind of difficult to install that package when your route is fucked up. Which brings me to the next point, the route command. It's worked the same way just fine for decades now. In the past you could do "route add default x.x.x.x" not so anymore. The syntax changed for no reason at all.

      So in short if you want Li

      • Um, no. You're confusing the BSD and GNU versions of the command. I've found references of "route add default gw x.x.x.x " at least back to 2006. While the latest FreeBSD manual refers to your syntax.

  • Microsoft declined to patch the bug, considering it a "feature request."

    Someone should pair this with the article asking if Microsoft has changed their ways because they're embracing Linux.

  • I might side with MS on this one, though the response doesn't make them look good. The hardest part of this will be getting the user to try and launch the program in the first place. It may be a lot easier just to tailor the malware to evade detection when scanned.

    First of all, you can't just make a link the user can click. Chrome and Firefox both block links from the internet that point to the local PC or SMB shares (not sure what IE/Edge do). Even if you get the user to enter the url manually, Chrome and

    • by Anonymous Coward

      Windows will alert you if you try to open a dangerous file type off of a SMB share.

      This.

      IIRC Windows will scream holy hell if you try and execute any file or script (even thru command prompt) on a SMB share that is not identified as part of your domain network with the same FQDN, or on the local network.

      You can try this yourself - map a drive to share on an IP address e.g. if Z: = \\10.10.10.10\share_name and you try to execute anything, you should get one of those "bitch is you crazy?" dialog boxes with a

      • Bathroom sinks used to have separate taps for hold and cold.

        Now we have single-lever controls that combine rate with temperature, by interpolating uniformly between hot and cold. Gasoline pumps do something similar to deliver various octane levels from a small number of distinct feed stocks.

        There's no reason, therefore, that a bathroom can't have three different feed stocks: hot (guaranteed no Ebola), cold (guaranteed no Ebola), and fountain of youth (no safety standard mandated).

        Of course, you wouldn't wan

      • I'd pay up to $10 for an app that replaced Windows error/question messages with ghetto slang. Instead of progress bars, "ain't nobody got time for that".
    • Yes, this is what I wanted to post too - this attack is much harder than just making the malware not trigger the defender.

      HOWEVER I wonder who came up with this "brilliant" idea, I was always in my head operating on the assumption that "live" scan operates by intercepting the call of the application and analyzing the data there. This idea of "let me go outside and see what this file is" for this purpose is not only crazy and a small security gap but also a performance killer.

    • by Anonymous Coward

      Well, yeah, if you got inside the network (e.g. Deloitte and Equifax) then there are probably easier ways to expand your control, but it just shows that the MS ecosystem is as waterproof as a rusted out colander. If they fix one set of common exploits, then there are always others to exploit.

    • Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.

      That made me laugh. Most Windows users will answer yes to just about any question that stands between them and any malicious program they are trying to run.

      This flaw is critical, and Microsoft's response shows how little it still cares about security.

      • Nonsense. The OS has done its job. If the end-user chooses to bypass a security warning, the onus is on the end-user, not the operating system.

  • by Anonymous Coward

    is most likely what it is.

  • It deleted a crack for a game that I had for more than twenty years on my network storage, from inside an archive file.
    • by Mal-2 ( 675116 )

      BitDefender used to do that shit to me ALL THE TIME, but when the final straw was when it decided my development environment was malicious because it contained the gcc++ compiler, and utterly broke it. At least Windows Defender doesn't pop up over something that common.

      • I had Bitdefender start flagging the software I was compiling with the intel compiler using aggressive optimizations. It took a bit to figure out what had gone on. I had compiled the software without errors but the binary and shared lib where missing. I thought originally it was my dev environment screwing up. When I figured out it was bitdefender and that others had reported the same problems I dumped it. If you mark the software I just wrote and compiled as malicious I don't need your faulty AV software.

  • by zifn4b ( 1040588 ) on Sunday October 01, 2017 @06:11AM (#55286893)

    For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control.

    Ticket Description: Windows Defender is vulnerable to human stupidity
    Acceptance Criteria: Show that humans are no longer stupid
    Priority: High

    Chop chop developers!

    • Ticket Description: Windows Defender is vulnerable to human stupidity
      Acceptance Criteria: Show that humans are no longer stupid
      Priority: High

      Chop chop developers!

      Ticket Description: Windows Defender duplicates work in a way that increases the number of unnecessary potential vulnerabilities by one.
      Acceptance Criteria: Please, stop foisting levels of trust on third party sources for your users without consent.
      Priority: High enough that it makes the competition look good in comparison

      It's incredible how different a situation appears when the goal is an improvement for everyone, rather than just vaguely blaming everyone involved.

    • by Anonymous Coward

      Unfortunately, this bug doesn't require user stupidity.

      Lets say that you have a network share with documents on it. Usually you fire up your network share, navigate to the folder, open a document, and start work - a normal process for a good percentage of office workers.

      Unfortunately I've compromised the remote machine. I've replaced the documents with executable code, knowing that you're already de-sensitised to any warnings as you see them every time you open a document that contains a macro, which is mos

      • by PPH ( 736903 )

        knowing that you're already de-sensitised to any warnings as you see them every time you open a document that contains a macro

        Assuming users even know or care about these warnings [imgur.com]

  • by CptLoRes ( 4510239 ) on Sunday October 01, 2017 @06:41AM (#55286939)

    The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

    This sounds more like a problem with an inside job from an disgruntled worker then a realistic threat.

  • Nothing but a venerable TOCTOU [wikipedia.org].

  • How do other anti-virus programs handle this scenario--some comments were saying this behavior were as a result of defender having to do nothing more than others could do, so this implies the hooks necessary to handle this correctly may not be there. Do others also download a separate copy? Is it that their copy can't be differentiated while the defender copy can? What makes this defender specific?

  • Those fanbois who push AI should be all over this.

    Talk about machine learning!

    Something like this should only happen once, then a fix should be propagated out.

    I'm being facetious, of course. AI can't handle a job like that.

  • Actually the Windows Firewall has a similar problem too.

    You launch an application, it starts executing and communicating over the network - while the firewall pop-up asking the user for permission to access network is up. However, the application is communicating already!

    This is easily visible with Wireshark, for example.

    It boggles the mind why Microsoft thought that this is actually an useful feature ...

    • Firewalls should by default assume applications executed by the user are valid since UAC is specifically designed to handle this.

      Every PC should be behind a firewall already at the gateway/router level. So the only thing you're exposing yourself to is an internal network threat momentarily. The alternative is to by default block all user-executed applications on the PC and 99.9999999% of the time pissing off users. Pissed off users do one thing with near certainty: they disable the feature annoying them.

      • Firewalls should by default assume applications executed by the user are valid since UAC is specifically designed to handle this.

        Assuming the application has been compromised, the user will allow execution through UAC (if needed) because the user wants to run the program and thinks it's OK, and then the firewall assumes that, since the user launched a program without knowing it's been compromised, and lets all the packets through.

        How many PCs are behind an external firewall? It may be that they should,

  • One wonders how unaware the average W* user is. No Linux user would do that, I doubt if it's an OS X thing. But even assuming the worst for W* users this has to be a small attack vector.

    The piece reads well, but convincing someone to execute a remote file seems like a stretch. Of course, if MSFT would address the issue by comparing the two files it would nip this 'feature' in the bud.

Who goeth a-borrowing goeth a-sorrowing. -- Thomas Tusser

Working...