Hacker’s take advantage of the Illusion Gap technique to bypass Windows Defender

Windows Defender was introduced to windows operating system to act as an default anti virus On October 24, 2006, Microsoft released Windows Defender to protect users from malicious code, malware, trojan and viruses.

Researchers of CyberArk have developed an attack method dubbed Illusion Gap for bypassing Windows Defender that will allow avoiding antivirus detection.

Windows defender was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from: malicious browser helper objects , browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious LSPs, dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity online banking attacks, social engineering techniques, advanced persistent threat and botnet DDoS attacks.

Security researchers from CyberArk have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems.

What is Illusion Gap?

Illusion Gap is technique used to bypass windows 10 defender in a nutshell tricking the windows defender to not scan an malicious payload or code.

How does Illusion Gap work?

The technique — nicknamed Illusion Gap — relies on a mixture of both social engineering and the use of a rogue SMB server.

The technique affects the scanning process over SMB shares, the experts explained that Antivirus solutions use to detect the execution of an executable file by a kernel callback and then scan the file, usually with a user-mode agent.

For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that’s needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.

If the executable file is already present on disk, the Antivirus will not scan it on process creation because it has already scanned it on file creation. However, running an executable from an SMB share trigger the Antivirus scan the file even on process creation.
 The researchers demonstrated that a possible attack method consists into tricking the antivirus into scanning a different file than the one actually executing.

The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they’re two different things.

Proof of concept

The CyberArk research’s have published a detailed guide on how the Illusion Gap works in depth.

In the example below, we can see that detectme.exe, detected by 49 anti-viruses so far, is detected by EICAR:

Scanned the virus file on Virus Total results

How could not possibly be a part of Illusion Gap victim?

As this technique require a rouge SMB Server be careful when accessing files on a server never open an untrusted server files.

Never totally depend of windows defender itself use an anti virus software The best recommendation is for organizations to not rely solely on endpoint scanning and AV. Start take security measures

What did Microsoft say about this?

CyberArk reported the ‘Illusion Gap’ attack to Microsoft, but the Tech giant doesn’t consider it as a security vulnerability.

“Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature,” reads the Microsoft’s Response on CyberArk Labs findings on Illusion Gap.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.