[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.1.0.14.2.20040615122424.017e9410@webmail.compranet.gob.mx>
Date: Tue, 15 Jun 2004 12:48:07 -0500
From: Yosif Sleman <sleman@...pranet.gob.mx>
To: bugtraq@...urityfocus.com
Subject: Re: Multiple Antivirus Scanners DoS attack.
Solaris 8 box with Virus Scan for Solaris 4.32.0, engine 4.3.20 and data
file 4366 takes a lot of CPU and time to process the file, but the process
never crashed neither hanged, the CPU was around 96% of usage, and the
memory kept between 26 and 33MB (i have two webservers an a database
running on the test box and none was affected even with the uvscan taking
all the CPU).
At first, the scan stalled at the same point than Linux but after 3 mins
the scan continued without problems, i had to stop the scan 48 mins later
only with a 50% of the backdoor file processed because it was taking so
long to finish. (the cab files are the slowest to parse).
Regards,
Sleman
At 02:48 PM 14/06/2004 -0300, "Ethy H. Brito" <ethy@...xo.com.br> wrote:
>On Mon, 14 Jun 2004 14:38:50 +0000
>"bipin gautam" <visitbipin@...mail.com> wrote:
>
> > Multiple Antivirus Scanners DoS attack.
> >
> > --- [Vulnerable Products] ---
> > Only tested on...
> >
> > * Norton Antivirus 2002
> > * Norton Antivirus 2003
> > * Mcafee VirusScan 6
> > * Network Associates (McAfee) VirusScan Enterprise 7.1
> > * Windows Xp default ZIP manager [report's wrong size of compress ZIP
> > files.]
>
>Linux uvscan scan engine 4.3.20 (MacAfee) is also vulnerable.
>uvscan takes all CPU and lots of memory been only killed with signal 9
>from another terminal.
>
>from 'top':
> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
>1306 nobody 15 0 22744 21M 1648 R 97.4 35.6 0:44 0 uvscan
>
>nobody@...alu:/usr/local/uvscan# ./uvscan -v -r --analyze --unzip
>BlackHole.zip
>Scanning BlackHole.zip
>Scanning file BlackHole.zip
>Scanning file BlackHole.zip/~.BZ2
> ..... stalls here .....
>
>--
>
>Ethy H. Brito /"\
>InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
>+55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
>S.J.Campos - Brasil / \
Powered by blists - more mailing lists