lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Jun 2005 13:54:28 +0200
From: patrickhof@....de
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Sophos Antivirus Advisory


= Advisory: Sophos doesn't recognize keylogger after string alteration =

During a Penetrationtest RedTeam found out that Sophos Anti-Virus  
(SAV for short) won't recognize a keylogger as malware, after  
alteration of a string in the keylogger's binary.

== Details ==

Product: Sophos Anti-Virus
Affected Version: <= 5.0.2
Immune Version: None known
OS affected: tested on Win2k, GNU/Linux, probably all supported by
             Sophos
Security-Risk: medium
Remote-Exploit: no
Vendor-URL: http://www.sophos.com
Vendor-Status: informed
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-013
Advisory-Status: published

== Introduction ==

"Sophos Anti-Virus provides integrated virus detection on a wide  
range of Windows platforms. Our award-winning technology protects  
corporate servers, desktops and laptops from viruses, Trojans, worms  
and malicious spyware." (from Vendor's page)

SAV fails to recognize a keylogger binary after altering a few bytes  
in a string contained in the program.


== More Details ==

During a Penetrationtest, RedTeam wanted to install a keylogger on a
victim's system. Klogger (written by Arne Vidstrom, see [1]) was chosen
because of its small size, simplicity, and the ability to be executed
from the command prompt. Since we knew that SAV was running on the
target system, we did a test in our lab at RWTH-Aachen University. This
test revealed that SAV would recognize the Klogger binary as malicious
and raise alarm.

In a simplistic attempt to confuse SAV, a few bytes in the Klogger  
binary (there is no source code available) which belonged to a string  
containing the author's name where changed with a hex editor. To our  
astonishment this was enough to foil SAV - no alarms where raised for  
the modified binary. Apparently the only detection method deployed by  
SAV for this binary was a hash comparison or something to the same  
effect.

Tests with other antivirus programs showed that all of them  
recognized the binary even after the string alteration. As for SAV,  
additional tests with more popular malware showed that for these,  
proper heuristics were used: it was not enough just to change a few  
bytes with other malware binaries we tested.

This example shows impressively, how easy some virusscanners can be  
bypassed. An attacker just has to spend less than one minute to  
manipulate the keylogger to prevent SAV from detecting the file.

As keyloggers are more and more used by criminals like phishers to  
get e.g. online-banking data, it is important that protection  
software has robust detection mechanisms for malware. Simple  
circumvention of protection mechanisms could lead to a severe  
information leakage and compromise of the user. It is not uncommon  
for malware code to be hex-edited by the entities deploying them or  
even to change itself, thus potentially circumventing SAV if this  
practice is used with other malicicous code, too.

[1] http://ntsecurity.nu/toolbox/klogger/

== Proof of Concept ==

Just download klogger and change some bytes.

== Workaround ==

Never rely only on your antivirus program, regardless how good it is.
Those programs can only detect known malware with 100% certainty.
Unknown but also slightly modified malicious code is only recognized
using heuristics, which fail much too often. Always use common sense
and don't execute or even open files you don't exactly know where they
come from.

== Fix ==

None known.


== Security Risk ==

As users should not rely only on their antivirus programs (as stated
above) in the first place, the security risk may be seen as medium.


== History ==

14.04.2005  discovery of SAV's behaviour
21.04.2005  additional tests with other programs
10.05.2005  advisory is written
03.06.2005  contacted Sophos. Answer: the attachement you sent is clean.
            Eh? Apparently, they sent the attached pgp-signature to their
            virus-lab... Asked for a security contact. Got back the
            offer that if we send a file with a virus, they can scan it.
            Okaaaay, that was not the question, was it? Told them we
            were short of viruses, sorry. Contact promised
            to sent the mail to their headquarter in England. Never
            heard from them again.
16.06.2005  Advisory released

== RedTeam ==

RedTeam is a penetration testing group working at the Laboratory for  
Dependable Distributed Systems at RWTH-Aachen University. You can  
find more Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ