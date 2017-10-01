New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com) 13
An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.
The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.
The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."
Wastes bandwidth too... (Score:4, Informative)
Why send a file once when you can send it twice instead?
Cue the "Has Microsoft Changed" Headlines (Score:2)
Someone should pair this with the article asking if Microsoft has changed their ways because they're embracing Linux.
Not a big deal (Score:2)
I might side with MS on this one, though the response doesn't make them look good. The hardest part of this will be getting the user to try and launch the program in the first place. It may be a lot easier just to tailor the malware to evade detection when scanned.
First of all, you can't just make a link the user can click. Chrome and Firefox both block links from the internet that point to the local PC or SMB shares (not sure what IE/Edge do). Even if you get the user to enter the url manually, Chrome and