Illusion Gap

Security researchers from CyberArk have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems.

The technique — nicknamed Illusion Gap — relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution.

For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

How Illusion Gap works

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it.

SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.

The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things.

Illusion Gap attack steps

Microsoft does not view this as a security issue

CyberArk says it notified Microsoft but the company did not view it as a security issue. Researchers included the Microsoft reply in their Illusion Gap paper.

Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn't seem to be a security issue but a feature request which I have forwarded to the engineering group.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.

Basic mitigation advice

"It’s Windows Defenders job to scan and find malicious files – this vulnerability allows malicious files to bypass it, so it’s not doing its job," Kobi Ben Naim, Senior Director of Cyber Research at CyberArk, told Bleeping Computer via email.

"Other than installing additional AV or endpoint scanning software along with Windows Defender, there isn’t much an organization can do to mitigate this specific vulnerability," Naim added.

"The best recommendation is for organizations to not rely solely on endpoint scanning and AV, and to implement proactive security measures that assumes malware will get past the perimeter," the expert also said.

"We strongly believe that organizations should implement a combination of least privilege and application control policies on endpoints and servers throughout the organization. This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications are potentially suspicious and protects information accordingly.

"While Microsoft is a great software vendor, people need to understand that while free Microsoft products have a value of their own, it’s not a replacement to security. Microsoft makes great products, but they’re not a security vendor. Security-conscious organizations need to take this into account when using any product."

Other AVs might be affected

Naim also believes that the Windows Defender bypass which the CyberArk team discovered will see some usage in the future.

"Like every new attack vector, the first to exploit it will likely be high-end, sophisticated attackers (APTs)," Naim told Bleeping. "Once an attack method like this is used by these advanced groups, you typically see all other attackers follow shortly thereafter."

CyberArk researchers also warn that other antivirus solutions might also be vulnerable to the Illusion Gap attack, but that his company has not carried out additional tests.

Because this research was provided under embargo to Bleeping Computer before publication, we also could not reach out to other vendors and inquire about the vulnerability. Any information about other AV vendors vulnerable to Illusion Gap attacks will be added to this post.

CyberArk researchers also provided YouTube videos demonstrating how the Illusion Gap attack works. Illusion Gap technical details are available here.

Image credits: TNS, Bleeping Computer, CyberArk