RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through

• From: "Steve Moffat" <steve@xxxxxxxxxx>
• To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 26 Oct 2005 21:57:54 -0300

I just sold SAV 10 to a 200 user company....Replacing etrust...:)) 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, October 26, 2005 9:56 PM
To: ISA Mailing List
Subject: [isalist] RE: Multiple Vendor Anti-Virus Software Detection
Evasion Vulnerability through

http://www.ISAserver.org

This has to be the one time where I feel good to be a Norton fan.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Steve Moffat [mailto:steve@xxxxxxxxxx]
> Sent: Wednesday, October 26, 2005 7:51 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Multiple Vendor Anti-Virus Software Detection 
> Evasion Vulnerability through
> 
> http://www.ISAserver.org
> 
> So much for the TREND groupies.....rofl
> 
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Wednesday, October 26, 2005 9:06 PM
> To: ISA Mailing List
> Subject: [isalist] Multiple Vendor Anti-Virus Software Detection 
> Evasion Vulnerability through
> 
> http://www.ISAserver.org
> 
> 
> Ouch!
> 
> -----Original Message-----
> From: Andrey Bayora [mailto:andrey@xxxxxxxxxxxxxxx]
> Sent: Wednesday, 26 October 2005 12:01 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Multiple Vendor Anti-Virus Software Detection Evasion 
> Vulnerability through
> 
> Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability 
> through forged magic byte.
> 
> 
> 
> AUTHOR: Andrey Bayora (www.securityelf.org)
> 
> 
> 
> For more details, screenshots and examples please read my article "The

> Magic of magic byte" at www.securityelf.org . In addition, you will 
> find a sample "triple headed" program which has 3 different 'execution

> entry points', depending on the extension of the file (exe, html or 
> eml) - just change the extension and the SAME file will be executed by

> (at
> least) THREE DIFFERENT programs! (thanks to contributing author Wayne 
> Langlois from www.diamondcs.com.au).
> 
> DATE: October 25, 2005
> 
> 
> 
> VULNERABLE vendors and software (tested):
> 
> 
> 
> 1.  ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver 
> 2005-03-06, package ver 2005-06-21)
> 
> 2.  AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)
> 
> 3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)
> 
> 4.  Dr.Web (v.4.32b, update 27.06.2005)
> 
> 5.  F-Prot (ver. 3.16c, update 6/24/2005)
> 
> 6.  Ikarus (latest demo version for DOS)
> 
> 7.  Kaspersky (update 24 June, ver. 5.0.372)
> 
> 8.  McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,

> engine 4.4.00, dat 4.0.4519 6/22/2005)
> 
> 9.  McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 
> 4521, engine 4400)
> 
> 10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)
> 
> 11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, 
> pattern
> 2.701.00)
> 
> 12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 
> 2.701.00
> 6/23/2005)
> 
> 13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)
> 
> 14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)
> 
> 15. Sophos 3.91 (engine 2.28.4, virData 3.91)
> 
> 
> 
> IMPORTANT NOTE:
> 
> Similar vulnerability may exist in many other antivirus\anti-spyware 
> desktop and gateway products. In addition, various "file filter"
> solutions may be affected as well.
> 
> 
> 
> NOT VULNERABLE vendors and software (tested):
> 
> 
> 
> 1.  F-Secure (updates 24 June, ver 5.56 b.10450)
> 
> 2.  Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)
> 
> 3.  BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)
> 
> 4.  ClamWin (ver. 0.86.1, upd 24 June 2005)
> 
> 5.  NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)
> 
> 6.  Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)
> 
> 7.  Norton Internet Security 2005 (ver 11.5.6.14)
> 
> 8.  VBA32 (ver 3.10.4, updates 27.06.2005)
> 
> 9.  HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
> 6.31.0.109 6/24/2005)
> 
> 10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)
> 
> 11. Sophos 3.95 (engine 2.30.4)
> 
> 
> 
> SEVERITY: critical
> 
> 
> 
> DESCRIPTION:
> 
> 
> 
> The problem exists in the scanning engine - in the routine that 
> determines the file type. If some file types (file types tested are 
> .BAT, .HTML and
> .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the 
> beginning, then many antivirus programs will be unable to detect the 
> malicious file. It will break the normal flow of the antivirus 
> scanning and many existent and future viruses will be undetected.
> 
> 
> 
> NOTE: In my test, I used the EXE headers (MZ), but it is possible to 
> use other headers (magic byte) that will lead to the same effect.
> 
> 
> 
> ANALYSIS:
> 
> 
> 
> Some file types like .bat, .html and .eml can be properly executed 
> even if they have some "unrelated" beginning. For example, in the case

> of .BAT files - it is possible to prepend some "junk" data at the 
> beginning of the file without altering correct execution of the batch 
> file. In my tests, I used the calc.exe headers (first 120 bytes - 
> middle of the dosstub section) to change 5 different files of existing

> viruses. In addition, the simplest test of this vulnerability is to 
> prepend only the magic byte (MZ) to the existing malicious file and 
> check if this file is detected by antivirus program.
> 
> 
> 
> NOTE, that this is NOT the case where the change of existing virus 
> file resulted in the "broken" detection signature (see details and the

> test logic in "The Magic of magic byte" article at 
> www.securityelf.org).
> 
> 
> 
> WORKAROUND:
> 
> I did not found any effective one besides of patching the vulnerable 
> engine.
> 
> 
> 
> CREDITS:
> 
> The idea for this vulnerability came during discussions from Wayne 
> Langlois at diamondcs.com.au, who hinted that JPEGs could probably be 
> exploited in this way.
> 
> 
> 
> TIME LINE:
> 
> 
> 
> July 13, 2005 - Initial vendor notification
> 
> July 16, 2005 - Second vendor notification
> 
> .....Waiting.....Waiting....
> 
> October 24, 2005 - Public disclosure (uncoordinated)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> All mail to and from this network has been scanned for viruses
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> The correct technical term for haggis stalking is "havering". 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

The correct technical term for haggis stalking is "havering". 

Other related posts:

• » Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
• » RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
• » RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
• » RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
• » RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
• » RE: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through

1. Home
2. isalist
3. Archive
4. 10-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---