Skip to main content

New Malware Can Infect Computers, Even With Windows Defender

By October 11, 2017June 22nd, 2022Cybersecurity

Researchers at the security firm CyberArk have discovered a new attack vector they’ve dubbed “Illusion Gap.” While it’s somewhat tricky for a hacker to implement, when it works, it can be devastatingly effective, completely bypassing Windows Defender, which is security software that comes pre-loaded on all Windows-based computers.

To successfully execute the attack, the hacker relies on a combination of social engineering tricks and the use of a rogue SMB server. Thanks to the way Windows Defender scans files stored on an SMB share, if he can convince a user to execute a poisoned file hosted on a malicious server, then Windows Defender can be bypassed completely.

This is actually not as difficult as it may first appear. Often, simply presenting the user with a shortcut to the poisoned file is sufficient, and the moment that a user double clicks the shortcut, the damage is done.

Windows Defender does try, because before the file is executed, it requests a copy for scanning purposes, but the hackers can simply substitute a clean copy of the file to hand off to Windows Defender, tricking it into thinking that there’s no problem. That done, the poisoned file executes and can inject whatever code the hacker likes into the target system.

Unfortunately, Microsoft does not view this as a security issue at all. CyberArk contacted Microsoft when they discovered the flaw, and received the following as a response from the company:

“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.”

All that is to say, where Illusion Gap is concerned, you’re on your own, at least for the time being. Be very careful when you click on any file hosted on an SMB server, or any shortcuts to them.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.