New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com) 74
An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.
The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.
The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."
The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.
The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."
Wastes bandwidth too... (Score:5, Insightful)
Why send a file once when you can send it twice instead?
Re: (Score:1)
this is what pisses me off the most.
try doing it with a 500mb installer .exe, even over gigabit it takes FOREVER.
Re:Wastes bandwidth too... (Score:4, Insightful)
That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.
Why download a file twice? Bandwidth is too cheap nowadays, I suppose?
Re:Wastes bandwidth too... (Score:5, Insightful)
Your way makes perfect sense... if you believe a security product is integrated into the OS itself.
However, Microsoft is under different rules, and Windows Defender must be disable-able in case the user decides they want to use a different security software product. Otherwise imagine the hell Kaspersky, Symantec, etc. will raise. Heck, Windows 10 updates that disable those products until updated already spurred lawsuits.
SO Windows Defender must be able to act like any other program would, and in this case, when you want to open a file, the kernel hook fires and Windows Defender scans the file first before letting Windows open the file.
About the only way around this would be to have the PE Loader be hookable so Windows Defender and other software can scan the file image after loading into memory but prior to execution. Assuming that's possible, given how the PE Loader might not actually read the entire file at once into memory, but instead just skip about when reading. In this case perhaps the hook might be near the very end before it jumps.
Re:Wastes bandwidth too... (Score:5, Informative)
Windows does have an equivalent of ptrace, so how exactly is this a problem? You hook onto the process that's being created (on Windows there's no separation between fork and exec) having it start as traced. It gets mmapped, you check whatever got loaded into that process' address space, detach the trace.
It'd also have double the performance when the file fits into memory: no need to request the file over network twice. And if it doesn't fit, well, page cache is perfectly equipped to deal with this.
Re: (Score:1)
Uh.. it still makes sense even if you have a third party checking the files. You just set up a system for products to become registered as the file checking agent, and instead of sending the file to defender, you send it to the 3rd party agent before executing.
Re: (Score:3)
SMB is basically either block level or streaming. It doesn't just copy the entire file over the network the moment you access it, unless your system requests all of the file. Depending on the server, connection and file request configuration, the received data can usually be cached. You don't want it to always cache, because sometimes you may actually need updates in data. I would hazard a guess and say that the exploit relies on a situation where caching is off.
Then you get the following issue: defender ca
Re: (Score:2)
You seem to be confusing a couple of things, but your overal message, to just force the use of the defender scans, is true (I did mention it in the previous comment, but perhaps I dismissed it too easily). There are some things to keep in mind:
- Might break compatibility with some use cases Microsoft needs to support
- It might be difficult to do this only for some kind of files like executables
- There may be workarounds like exhausting the cache in either space or time which would make the fix useless
Or god
No systemd (Score:1)
Everyone on windows needs to take this opportunity to transition to a systemd free version of Linux.
Re: No systemd (Score:1)
It requires you to not treat a computer as a magic wish device.
That should mitigate some of the issue with social engineering.
Re: (Score:2)
AKA it's harder to use.
Re: (Score:2)
Doesn't necessarily need to be and executable. A malicious word or flash document would probably work just fine in most cases. A large company is probably going to firewall SMB to unkown remote sites, but smaller companies certianly wouldn't.
I did (Score:1)
Decided to give good old Slackware a try. It worked perfectly. I wasn't left with a crippled system either. Some Debian dickheads have decided to not include vital tools like traceroute or nslookup. Kind of difficult to install that package when your route is fucked up. Which brings me to the next point, the route command. It's worked the same way just fine for decades now. In the past you could do "route add default x.x.x.x" not so anymore. The syntax changed for no reason at all.
So in short if you want Li
Re: (Score:2)
Um, no. You're confusing the BSD and GNU versions of the command. I've found references of "route add default gw x.x.x.x " at least back to 2006. While the latest FreeBSD manual refers to your syntax.
Cue the "Has Microsoft Changed" Headlines (Score:2, Offtopic)
Someone should pair this with the article asking if Microsoft has changed their ways because they're embracing Linux.
Not a big deal (Score:2)
I might side with MS on this one, though the response doesn't make them look good. The hardest part of this will be getting the user to try and launch the program in the first place. It may be a lot easier just to tailor the malware to evade detection when scanned.
First of all, you can't just make a link the user can click. Chrome and Firefox both block links from the internet that point to the local PC or SMB shares (not sure what IE/Edge do). Even if you get the user to enter the url manually, Chrome and
Re: (Score:1)
This.
IIRC Windows will scream holy hell if you try and execute any file or script (even thru command prompt) on a SMB share that is not identified as part of your domain network with the same FQDN, or on the local network.
You can try this yourself - map a drive to share on an IP address e.g. if Z: = \\10.10.10.10\share_name and you try to execute anything, you should get one of those "bitch is you crazy?" dialog boxes with a
dialog box indoor plumbing (Score:2)
Bathroom sinks used to have separate taps for hold and cold.
Now we have single-lever controls that combine rate with temperature, by interpolating uniformly between hot and cold. Gasoline pumps do something similar to deliver various octane levels from a small number of distinct feed stocks.
There's no reason, therefore, that a bathroom can't have three different feed stocks: hot (guaranteed no Ebola), cold (guaranteed no Ebola), and fountain of youth (no safety standard mandated).
Of course, you wouldn't wan
Re: Not a big deal (Score:2)
Re: (Score:2)
Yes, this is what I wanted to post too - this attack is much harder than just making the malware not trigger the defender.
HOWEVER I wonder who came up with this "brilliant" idea, I was always in my head operating on the assumption that "live" scan operates by intercepting the call of the application and analyzing the data there. This idea of "let me go outside and see what this file is" for this purpose is not only crazy and a small security gap but also a performance killer.
Re: (Score:1)
Well, yeah, if you got inside the network (e.g. Deloitte and Equifax) then there are probably easier ways to expand your control, but it just shows that the MS ecosystem is as waterproof as a rusted out colander. If they fix one set of common exploits, then there are always others to exploit.
Re: (Score:3)
Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.
That made me laugh. Most Windows users will answer yes to just about any question that stands between them and any malicious program they are trying to run.
This flaw is critical, and Microsoft's response shows how little it still cares about security.
Re: (Score:2)
Windows gets blamed because it's always been marketed as being suitable for those exact kinds of users who are stupid enough to fall for this sort of thing.
The fact is, general purpose operating systems are simply not suitable for most users, they are tools for geeks and require specialised knowledge to operate correctly.
So yes, Microsoft get blamed because they have knowingly marketed an unsuitable tool to users who are unqualified to use it.
Re: (Score:2)
Thing is, users will predictably do some things. Calling it "user stupidity" is only a way to try to duck the blame. Microsoft makes software that is intended to be run by humans, not any other form of intelligent life. Most of these humans have used Windows, and have acquired habits that tend to work on Windows. So, Microsoft managed to train these humans to ignore warnings somehow, and they're completely blameless?
It isn't the fault of the human race that we're human. It isn't the fault of humanit
Re: (Score:2)
Nonsense. The OS has done its job. If the end-user chooses to bypass a security warning, the onus is on the end-user, not the operating system.
"feature demand" from NSA/CIA (Score:1)
is most likely what it is.
I am still mad (Score:2)
Re: I am still mad (Score:2)
Re: (Score:2)
BitDefender used to do that shit to me ALL THE TIME, but when the final straw was when it decided my development environment was malicious because it contained the gcc++ compiler, and utterly broke it. At least Windows Defender doesn't pop up over something that common.
Re: (Score:2)
I had Bitdefender start flagging the software I was compiling with the intel compiler using aggressive optimizations. It took a bit to figure out what had gone on. I had compiled the software without errors but the binary and shared lib where missing. I thought originally it was my dev environment screwing up. When I figured out it was bitdefender and that others had reported the same problems I dumped it. If you mark the software I just wrote and compiled as malicious I don't need your faulty AV software.
Windows Defender has a bug because... (Score:5, Insightful)
For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control.
Ticket Description: Windows Defender is vulnerable to human stupidity
Acceptance Criteria: Show that humans are no longer stupid
Priority: High
Chop chop developers!
Re: (Score:2)
Ticket Description: Windows Defender is vulnerable to human stupidity
Acceptance Criteria: Show that humans are no longer stupid
Priority: High
Chop chop developers!
Ticket Description: Windows Defender duplicates work in a way that increases the number of unnecessary potential vulnerabilities by one.
Acceptance Criteria: Please, stop foisting levels of trust on third party sources for your users without consent.
Priority: High enough that it makes the competition look good in comparison
It's incredible how different a situation appears when the goal is an improvement for everyone, rather than just vaguely blaming everyone involved.
Re: (Score:1)
Unfortunately, this bug doesn't require user stupidity.
Lets say that you have a network share with documents on it. Usually you fire up your network share, navigate to the folder, open a document, and start work - a normal process for a good percentage of office workers.
Unfortunately I've compromised the remote machine. I've replaced the documents with executable code, knowing that you're already de-sensitised to any warnings as you see them every time you open a document that contains a macro, which is mos
Re: (Score:2)
knowing that you're already de-sensitised to any warnings as you see them every time you open a document that contains a macro
Assuming users even know or care about these warnings [imgur.com]
Comment removed (Score:3)
Same old (Score:2)
Nothing but a venerable TOCTOU [wikipedia.org].
Re: (Score:2)
You are splitting hairs. It's the same principle: what gets used isn't what was checked.
If Windows Defender is vulnerable, are others? (Score:2)
How do other anti-virus programs handle this scenario--some comments were saying this behavior were as a result of defender having to do nothing more than others could do, so this implies the hooks necessary to handle this correctly may not be there. Do others also download a separate copy? Is it that their copy can't be differentiated while the defender copy can? What makes this defender specific?
Where's the "AI" peeps? (Score:2)
Those fanbois who push AI should be all over this.
Talk about machine learning!
Something like this should only happen once, then a fix should be propagated out.
I'm being facetious, of course. AI can't handle a job like that.
Not only Defender (Score:2)
Actually the Windows Firewall has a similar problem too.
You launch an application, it starts executing and communicating over the network - while the firewall pop-up asking the user for permission to access network is up. However, the application is communicating already!
This is easily visible with Wireshark, for example.
It boggles the mind why Microsoft thought that this is actually an useful feature ...
Re: (Score:2)
Firewalls should by default assume applications executed by the user are valid since UAC is specifically designed to handle this.
Every PC should be behind a firewall already at the gateway/router level. So the only thing you're exposing yourself to is an internal network threat momentarily. The alternative is to by default block all user-executed applications on the PC and 99.9999999% of the time pissing off users. Pissed off users do one thing with near certainty: they disable the feature annoying them.
Re: (Score:2)
Assuming the application has been compromised, the user will allow execution through UAC (if needed) because the user wants to run the program and thinks it's OK, and then the firewall assumes that, since the user launched a program without knowing it's been compromised, and lets all the packets through.
How many PCs are behind an external firewall? It may be that they should,
Interesting but low probability. (Score:1)
The piece reads well, but convincing someone to execute a remote file seems like a stretch. Of course, if MSFT would address the issue by comparing the two files it would nip this 'feature' in the bud.