I'm with ya. I still remember the article Peter Norton wrote saying that viruses will never be a threat to the general populace. >----- >Robert Bosch Corporation >Technical Systems Analyst (RBNA/CSA1) >Corporate Sales Reporting Systems >38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA >phone: 1 (248) 876-1164 fax: 1 (248) 876-6969 >shawn.quillman@xxxxxxxxxxxx >http://www.bosch.us -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, October 26, 2005 8:56 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through http://www.ISAserver.org This has to be the one time where I feel good to be a Norton fan. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Steve Moffat [mailto:steve@xxxxxxxxxx] > Sent: Wednesday, October 26, 2005 7:51 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Multiple Vendor Anti-Virus Software > Detection Evasion Vulnerability through > > http://www.ISAserver.org > > So much for the TREND groupies.....rofl > > -----Original Message----- > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > Sent: Wednesday, October 26, 2005 9:06 PM > To: ISA Mailing List > Subject: [isalist] Multiple Vendor Anti-Virus Software > Detection Evasion > Vulnerability through > > http://www.ISAserver.org > > > Ouch! > > -----Original Message----- > From: Andrey Bayora [mailto:andrey@xxxxxxxxxxxxxxx] > Sent: Wednesday, 26 October 2005 12:01 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Multiple Vendor Anti-Virus Software Detection Evasion > Vulnerability through > > Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability > through forged magic byte. > > > > AUTHOR: Andrey Bayora (www.securityelf.org) > > > > For more details, screenshots and examples please read my article "The > Magic of magic byte" at www.securityelf.org . In addition, > you will find > a sample "triple headed" program which has 3 different > 'execution entry > points', depending on the extension of the file (exe, html or eml) - > just change the extension and the SAME file will be executed by (at > least) THREE DIFFERENT programs! (thanks to contributing author Wayne > Langlois from www.diamondcs.com.au). > > DATE: October 25, 2005 > > > > VULNERABLE vendors and software (tested): > > > > 1. ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver > 2005-03-06, package ver 2005-06-21) > > 2. AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27) > > 3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229) > > 4. Dr.Web (v.4.32b, update 27.06.2005) > > 5. F-Prot (ver. 3.16c, update 6/24/2005) > > 6. Ikarus (latest demo version for DOS) > > 7. Kaspersky (update 24 June, ver. 5.0.372) > > 8. McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08, > engine 4.4.00, dat 4.0.4519 6/22/2005) > > 9. McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def > 4521, engine 4400) > > 10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23) > > 11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine > 7.510.1002, pattern > 2.701.00) > > 12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern > 2.701.00 > 6/23/2005) > > 13. Panda Titanium 2005 (updates 24 June, ver 4.02.01) > > 14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265) > > 15. Sophos 3.91 (engine 2.28.4, virData 3.91) > > > > IMPORTANT NOTE: > > Similar vulnerability may exist in many other antivirus\anti-spyware > desktop and gateway products. In addition, various "file filter" > solutions may be affected as well. > > > > NOT VULNERABLE vendors and software (tested): > > > > 1. F-Secure (updates 24 June, ver 5.56 b.10450) > > 2. Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005) > > 3. BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934) > > 4. ClamWin (ver. 0.86.1, upd 24 June 2005) > > 5. NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152) > > 6. Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7) > > 7. Norton Internet Security 2005 (ver 11.5.6.14) > > 8. VBA32 (ver 3.10.4, updates 27.06.2005) > > 9. HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def > 6.31.0.109 6/24/2005) > > 10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005) > > 11. Sophos 3.95 (engine 2.30.4) > > > > SEVERITY: critical > > > > DESCRIPTION: > > > > The problem exists in the scanning engine - in the routine that > determines the file type. If some file types (file types tested are > .BAT, .HTML and > .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the > beginning, then many antivirus programs will be unable to detect the > malicious file. It will break the normal flow of the > antivirus scanning > and many existent and future viruses will be undetected. > > > > NOTE: In my test, I used the EXE headers (MZ), but it is > possible to use > other headers (magic byte) that will lead to the same effect. > > > > ANALYSIS: > > > > Some file types like .bat, .html and .eml can be properly > executed even > if they have some "unrelated" beginning. For example, in the case of > .BAT files - it is possible to prepend some "junk" data at > the beginning > of the file without altering correct execution of the batch > file. In my > tests, I used the calc.exe headers (first 120 bytes - middle of the > dosstub section) to change 5 different files of existing viruses. In > addition, the simplest test of this vulnerability is to > prepend only the > magic byte (MZ) to the existing malicious file and check if > this file is > detected by antivirus program. > > > > NOTE, that this is NOT the case where the change of existing > virus file > resulted in the "broken" detection signature (see details and the test > logic in "The Magic of magic byte" article at www.securityelf.org). > > > > WORKAROUND: > > I did not found any effective one besides of patching the vulnerable > engine. > > > > CREDITS: > > The idea for this vulnerability came during discussions from Wayne > Langlois at diamondcs.com.au, who hinted that JPEGs could probably be > exploited in this way. > > > > TIME LINE: > > > > July 13, 2005 - Initial vendor notification > > July 16, 2005 - Second vendor notification > > .....Waiting.....Waiting.... > > October 24, 2005 - Public disclosure (uncoordinated) > > > > > > > > > > > > > > > > > > > > All mail to and from this network has been scanned for viruses > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > isalist@xxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > The correct technical term for haggis stalking is "havering". > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx