Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through

Ouch!

-----Original Message-----
From: Andrey Bayora [mailto:andrey@xxxxxxxxxxxxxxx]
Sent: Wednesday, 26 October 2005 12:01 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple Vendor Anti-Virus Software Detection Evasion
Vulnerability through

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability
through forged magic byte.



AUTHOR: Andrey Bayora (www.securityelf.org)



For more details, screenshots and examples please read my article "The
Magic of magic byte" at www.securityelf.org . In addition, you will find
a sample "triple headed" program which has 3 different 'execution entry
points', depending on the extension of the file (exe, html or eml) -
just change the extension and the SAME file will be executed by (at
least) THREE DIFFERENT programs! (thanks to contributing author Wayne
Langlois from www.diamondcs.com.au).

DATE: October 25, 2005



VULNERABLE vendors and software (tested):



1.  ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
2005-03-06, package ver 2005-06-21)

2.  AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)

3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)

4.  Dr.Web (v.4.32b, update 27.06.2005)

5.  F-Prot (ver. 3.16c, update 6/24/2005)

6.  Ikarus (latest demo version for DOS)

7.  Kaspersky (update 24 June, ver. 5.0.372)

8.  McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
engine 4.4.00, dat 4.0.4519 6/22/2005)

9.  McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def
4521, engine 4400)

10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)

11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern
2.701.00)

12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern
2.701.00
6/23/2005)

13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)

14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)

15. Sophos 3.91 (engine 2.28.4, virData 3.91)



IMPORTANT NOTE:

Similar vulnerability may exist in many other antivirus\anti-spyware
desktop and gateway products. In addition, various "file filter"
solutions may be affected as well.



NOT VULNERABLE vendors and software (tested):



1.  F-Secure (updates 24 June, ver 5.56 b.10450)

2.  Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)

3.  BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)

4.  ClamWin (ver. 0.86.1, upd 24 June 2005)

5.  NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)

6.  Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)

7.  Norton Internet Security 2005 (ver 11.5.6.14)

8.  VBA32 (ver 3.10.4, updates 27.06.2005)

9.  HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
6.31.0.109 6/24/2005)

10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)

11. Sophos 3.95 (engine 2.30.4)



SEVERITY: critical



DESCRIPTION:



The problem exists in the scanning engine - in the routine that
determines the file type. If some file types (file types tested are
.BAT, .HTML and
.EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the
beginning, then many antivirus programs will be unable to detect the
malicious file. It will break the normal flow of the antivirus scanning
and many existent and future viruses will be undetected.



NOTE: In my test, I used the EXE headers (MZ), but it is possible to use
other headers (magic byte) that will lead to the same effect.



ANALYSIS:



Some file types like .bat, .html and .eml can be properly executed even
if they have some "unrelated" beginning. For example, in the case of
.BAT files - it is possible to prepend some "junk" data at the beginning
of the file without altering correct execution of the batch file. In my
tests, I used the calc.exe headers (first 120 bytes - middle of the
dosstub section) to change 5 different files of existing viruses. In
addition, the simplest test of this vulnerability is to prepend only the
magic byte (MZ) to the existing malicious file and check if this file is
detected by antivirus program.



NOTE, that this is NOT the case where the change of existing virus file
resulted in the "broken" detection signature (see details and the test
logic in "The Magic of magic byte" article at www.securityelf.org).



WORKAROUND:

I did not found any effective one besides of patching the vulnerable
engine.



CREDITS:

The idea for this vulnerability came during discussions from Wayne
Langlois at diamondcs.com.au, who hinted that JPEGs could probably be
exploited in this way.



TIME LINE:



July 13, 2005 - Initial vendor notification

July 16, 2005 - Second vendor notification

.....Waiting.....Waiting....

October 24, 2005 - Public disclosure (uncoordinated)



















All mail to and from this network has been scanned for viruses



Other related posts: