Microsoft’s Windows Defender is one of the most important programs in Windows OS, which is used by millions of users all over the world. However, despite the security feature that Windows Defender provides, the experts say that they have found malicious programs which can bypass the program tricking it into scanning a different file or absolutely nothing in its place.
The new technique is called Illusion Gap and it allows malware to bypass the antivirus application by exploiting the scanning process. Illusion Gap relies on both social engineering and rogue SMB server, exploiting Microsoft’s design choice in how Windows Defender scans files stored on an SMB share before execution.
The CyberArk security researchers said that the AV applications catch the operation of an executable file by a kernel callback and scan the file after that by requesting its user mode agent to do so. The files that are on the disk aren’t scanned since it will assume the file has been scanned already.
“However, running an executable from a SMB share requires the Antivirus to scan the file even on process creation,” explained the experts.
In order to escape scanning, the hacker should convince the user to execute a file that has been hosted on a malicious SMB server, which isn’t difficult as simple shortcut file will do. When the user clicks on this file, Windows will request the SMB server for a copy of the file to execute the file, while Windows Defender will request a copy to scan it.
According to security experts, since an SMB server can distinguish between these two requests, hackers can respond with two different files, sending malicious file to be loaded and benign file to Windows Defender for scanning purposes. When Windows Defender is okay with the clean file, Windows PE Loader will execute the malicious file.
To identify which request is coming from what process, hackers should implement the SMB protocol to create a “pseudo-server” to differentiate between the two requests. According to CyberArk, Microsoft doesn’t consider this as a security issue.
“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group. Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.”
Security researchers from CyberArk think that the malware may affect other AV products as well.
“If you are able to identify which requests are coming from native antivirus and which are coming from native operations from Windows, you can do same trick for other antivirus,” the experts stated.
