New "Illusion Gap" Attack Bypasses Windows Defender Scans

An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique — nicknamed Illusion Gap — relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."