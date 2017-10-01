Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Security Windows Bug Microsoft

New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com) 13

Posted by EditorDavid from the evasive-exploits dept.
An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."

New 'Illusion Gap' Attack Bypasses Windows Defender Scans More | Reply

New 'Illusion Gap' Attack Bypasses Windows Defender Scans

Comments Filter:

Slashdot Top Deals

God doesn't play dice. -- Albert Einstein

Close