Devilfrank
Sehr aktiv
Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte.
AUTHOR:
Andrey Bayora (www.securityelf.org)
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0504.html
..
Multiple vendor anti-virus software is prone to a detection evasion vulnerability.
The problem presents itself in the way various anti-virus software determines the type of file it is scanning.
An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine...
...
Vulnerable:
Ukranian National Antivirus UNA
Trend Micro PC-cillin 2005
Trend Micro OfficeScan Corporate Edition 7.0
Sophos Anti-Virus 3.91
Panda Titanium
Norman Virus Control 5.81
McAfee Internet Security Suite 7.1.5
Kaspersky Labs Anti-Virus 5.0.372
Ikarus Ikarus 2.32
F-Prot Antivirus 3.16 c
eTrust eTrust CA 7.0.14
Dr.Web Dr.Web 4.32 b
AVG AVG Anti-Virus 7.0.323
ArcaBit ArcaVir 2005.0
Not Vulnerable:
VirusBlokAda VBA32
Symantec Norton Internet Security 2005 11.5.6 .14
Symantec AntiVirus Corporate Edition 10.0
Sophos Anti-Virus 5.0.2
Sophos Anti-Virus 3.95
Softwin BitDefender 8.0
NOD32 NOD32 2.50.25
H+BEDV AntiVir Personal 6.31 .00.01
F-Secure Anti-Virus 5.56
ClamWin ClamWin 0.86.1
Avast! Antivirus Home Edition 4.6.655 ..."
SEVERITY:
critical
DESCRIPTION:
The problem exists in the scanning engine - in the routine that determines
the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected.
NOTE:
In my test, I used the EXE headers (MZ), but it is possible to use other headers (magic byte) that will lead to the same effect.
ANALYSIS:
Some file types like .bat, .html and .eml can be properly executed even if
they have some "unrelated" beginning. For example, in the case of .BAT -files - it is possible to prepend some "junk" data at the beginning of the file without altering correct execution of the batch file. In my tests, I used the calc.exe headers (first 120 bytes - middle of the dosstub section) to change 5 different files of existing viruses. In addition, the simplest test of this vulnerability is to prepend only the magic byte (MZ) to the existing malicious file and check if this file is detected by antivirus program.
NOTE, that this is NOT the case where the change of existing virus file
resulted in the "broken" detection signature (see details and the test logic
in "The Magic of magic byte" article at www.securityelf.org).
WORKAROUND:
I did not found any effective one besides of patching the vulnerable engine.
TIME LINE:
July 13, 2005 - Initial vendor notification
July 16, 2005 - Second vendor notification
.....Waiting.....Waiting....
October 24, 2005 - Public disclosure (uncoordinated)
AUTHOR:
Andrey Bayora (www.securityelf.org)
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0504.html
..
Multiple vendor anti-virus software is prone to a detection evasion vulnerability.
The problem presents itself in the way various anti-virus software determines the type of file it is scanning.
An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine...
...
Vulnerable:
Ukranian National Antivirus UNA
Trend Micro PC-cillin 2005
Trend Micro OfficeScan Corporate Edition 7.0
Sophos Anti-Virus 3.91
Panda Titanium
Norman Virus Control 5.81
McAfee Internet Security Suite 7.1.5
Kaspersky Labs Anti-Virus 5.0.372
Ikarus Ikarus 2.32
F-Prot Antivirus 3.16 c
eTrust eTrust CA 7.0.14
Dr.Web Dr.Web 4.32 b
AVG AVG Anti-Virus 7.0.323
ArcaBit ArcaVir 2005.0
Not Vulnerable:
VirusBlokAda VBA32
Symantec Norton Internet Security 2005 11.5.6 .14
Symantec AntiVirus Corporate Edition 10.0
Sophos Anti-Virus 5.0.2
Sophos Anti-Virus 3.95
Softwin BitDefender 8.0
NOD32 NOD32 2.50.25
H+BEDV AntiVir Personal 6.31 .00.01
F-Secure Anti-Virus 5.56
ClamWin ClamWin 0.86.1
Avast! Antivirus Home Edition 4.6.655 ..."
SEVERITY:
critical
DESCRIPTION:
The problem exists in the scanning engine - in the routine that determines
the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected.
NOTE:
In my test, I used the EXE headers (MZ), but it is possible to use other headers (magic byte) that will lead to the same effect.
ANALYSIS:
Some file types like .bat, .html and .eml can be properly executed even if
they have some "unrelated" beginning. For example, in the case of .BAT -files - it is possible to prepend some "junk" data at the beginning of the file without altering correct execution of the batch file. In my tests, I used the calc.exe headers (first 120 bytes - middle of the dosstub section) to change 5 different files of existing viruses. In addition, the simplest test of this vulnerability is to prepend only the magic byte (MZ) to the existing malicious file and check if this file is detected by antivirus program.
NOTE, that this is NOT the case where the change of existing virus file
resulted in the "broken" detection signature (see details and the test logic
in "The Magic of magic byte" article at www.securityelf.org).
WORKAROUND:
I did not found any effective one besides of patching the vulnerable engine.
TIME LINE:
July 13, 2005 - Initial vendor notification
July 16, 2005 - Second vendor notification
.....Waiting.....Waiting....
October 24, 2005 - Public disclosure (uncoordinated)