RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through

I'm with ya.  I still remember the article Peter Norton wrote saying
that viruses will never be a threat to the general populace. 


>-----
>Robert Bosch Corporation
>Technical Systems Analyst (RBNA/CSA1)
>Corporate Sales Reporting Systems
>38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA
>phone: 1 (248) 876-1164    fax: 1 (248) 876-6969
>shawn.quillman@xxxxxxxxxxxx
>http://www.bosch.us

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, October 26, 2005 8:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Multiple Vendor Anti-Virus Software Detection
Evasion Vulnerability through

http://www.ISAserver.org

This has to be the one time where I feel good to be a Norton fan.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
> Sent: Wednesday, October 26, 2005 7:51 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Multiple Vendor Anti-Virus Software 
> Detection Evasion Vulnerability through
> 
> http://www.ISAserver.org
> 
> So much for the TREND groupies.....rofl 
> 
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] 
> Sent: Wednesday, October 26, 2005 9:06 PM
> To: ISA Mailing List
> Subject: [isalist] Multiple Vendor Anti-Virus Software 
> Detection Evasion
> Vulnerability through
> 
> http://www.ISAserver.org
> 
> 
> Ouch!
> 
> -----Original Message-----
> From: Andrey Bayora [mailto:andrey@xxxxxxxxxxxxxxx]
> Sent: Wednesday, 26 October 2005 12:01 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Multiple Vendor Anti-Virus Software Detection Evasion
> Vulnerability through
> 
> Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability
> through forged magic byte.
> 
> 
> 
> AUTHOR: Andrey Bayora (www.securityelf.org)
> 
> 
> 
> For more details, screenshots and examples please read my article "The
> Magic of magic byte" at www.securityelf.org . In addition, 
> you will find
> a sample "triple headed" program which has 3 different 
> 'execution entry
> points', depending on the extension of the file (exe, html or eml) -
> just change the extension and the SAME file will be executed by (at
> least) THREE DIFFERENT programs! (thanks to contributing author Wayne
> Langlois from www.diamondcs.com.au).
> 
> DATE: October 25, 2005
> 
> 
> 
> VULNERABLE vendors and software (tested):
> 
> 
> 
> 1.  ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
> 2005-03-06, package ver 2005-06-21)
> 
> 2.  AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)
> 
> 3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)
> 
> 4.  Dr.Web (v.4.32b, update 27.06.2005)
> 
> 5.  F-Prot (ver. 3.16c, update 6/24/2005)
> 
> 6.  Ikarus (latest demo version for DOS)
> 
> 7.  Kaspersky (update 24 June, ver. 5.0.372)
> 
> 8.  McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
> engine 4.4.00, dat 4.0.4519 6/22/2005)
> 
> 9.  McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def
> 4521, engine 4400)
> 
> 10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)
> 
> 11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 
> 7.510.1002, pattern
> 2.701.00)
> 
> 12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern
> 2.701.00
> 6/23/2005)
> 
> 13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)
> 
> 14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)
> 
> 15. Sophos 3.91 (engine 2.28.4, virData 3.91)
> 
> 
> 
> IMPORTANT NOTE:
> 
> Similar vulnerability may exist in many other antivirus\anti-spyware
> desktop and gateway products. In addition, various "file filter"
> solutions may be affected as well.
> 
> 
> 
> NOT VULNERABLE vendors and software (tested):
> 
> 
> 
> 1.  F-Secure (updates 24 June, ver 5.56 b.10450)
> 
> 2.  Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)
> 
> 3.  BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)
> 
> 4.  ClamWin (ver. 0.86.1, upd 24 June 2005)
> 
> 5.  NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)
> 
> 6.  Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)
> 
> 7.  Norton Internet Security 2005 (ver 11.5.6.14)
> 
> 8.  VBA32 (ver 3.10.4, updates 27.06.2005)
> 
> 9.  HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
> 6.31.0.109 6/24/2005)
> 
> 10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)
> 
> 11. Sophos 3.95 (engine 2.30.4)
> 
> 
> 
> SEVERITY: critical
> 
> 
> 
> DESCRIPTION:
> 
> 
> 
> The problem exists in the scanning engine - in the routine that
> determines the file type. If some file types (file types tested are
> .BAT, .HTML and
> .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the
> beginning, then many antivirus programs will be unable to detect the
> malicious file. It will break the normal flow of the 
> antivirus scanning
> and many existent and future viruses will be undetected.
> 
> 
> 
> NOTE: In my test, I used the EXE headers (MZ), but it is 
> possible to use
> other headers (magic byte) that will lead to the same effect.
> 
> 
> 
> ANALYSIS:
> 
> 
> 
> Some file types like .bat, .html and .eml can be properly 
> executed even
> if they have some "unrelated" beginning. For example, in the case of
> .BAT files - it is possible to prepend some "junk" data at 
> the beginning
> of the file without altering correct execution of the batch 
> file. In my
> tests, I used the calc.exe headers (first 120 bytes - middle of the
> dosstub section) to change 5 different files of existing viruses. In
> addition, the simplest test of this vulnerability is to 
> prepend only the
> magic byte (MZ) to the existing malicious file and check if 
> this file is
> detected by antivirus program.
> 
> 
> 
> NOTE, that this is NOT the case where the change of existing 
> virus file
> resulted in the "broken" detection signature (see details and the test
> logic in "The Magic of magic byte" article at www.securityelf.org).
> 
> 
> 
> WORKAROUND:
> 
> I did not found any effective one besides of patching the vulnerable
> engine.
> 
> 
> 
> CREDITS:
> 
> The idea for this vulnerability came during discussions from Wayne
> Langlois at diamondcs.com.au, who hinted that JPEGs could probably be
> exploited in this way.
> 
> 
> 
> TIME LINE:
> 
> 
> 
> July 13, 2005 - Initial vendor notification
> 
> July 16, 2005 - Second vendor notification
> 
> .....Waiting.....Waiting....
> 
> October 24, 2005 - Public disclosure (uncoordinated)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> All mail to and from this network has been scanned for viruses
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> The correct technical term for haggis stalking is "havering". 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




Other related posts: