Friday, September 29, 2017

"Illusion Gap" Malware Attack Bypasses Windows Defender Scans on Shared Folders Server

A new malware dubbed "Illusion Gap" exploits a design choice in how Windows Defender scans files stored on an Shared Folders (SMB) Server before execution.

In many offices, this is your local area network (LAN) drive, a dated term. The modern term is called Network-attached storage (NAS).

For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

How Illusion Gap works

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it.

SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.

The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things.


No comments:

Post a Comment