lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 16 Jun 2005 11:48:08 -0500
From: "Todd Towles" <toddtowles@...okshires.com>
To: <patrickhof@....de>, <bugtraq@...urityfocus.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: RE: Sophos Antivirus Advisory


Robert, MW and class are right. This is a general problem of all
sig-based AV systems. It has been covered on this list and many other
places I am sure. You should report this to Sophos, but only because you
were using Sophos in your test. To report it here as a Sophos vuln,
isn't fair to Sophos IMHO. But that is just my 2 cents. 

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of patrickhof@....de
> Sent: Thursday, June 16, 2005 6:54 AM
> To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Sophos Antivirus Advisory
> 
> = Advisory: Sophos doesn't recognize keylogger after string 
> alteration =
> 
> During a Penetrationtest RedTeam found out that Sophos 
> Anti-Virus (SAV for short) won't recognize a keylogger as 
> malware, after alteration of a string in the keylogger's binary.
> 
> == Details ==
> 
> Product: Sophos Anti-Virus
> Affected Version: <= 5.0.2
> Immune Version: None known
> OS affected: tested on Win2k, GNU/Linux, probably all supported by
>              Sophos
> Security-Risk: medium
> Remote-Exploit: no
> Vendor-URL: http://www.sophos.com
> Vendor-Status: informed
> Advisory-URL:
> http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt
> -sa-2005-013
> Advisory-Status: published
> 
> == Introduction ==
> 
> "Sophos Anti-Virus provides integrated virus detection on a 
> wide range of Windows platforms. Our award-winning technology 
> protects corporate servers, desktops and laptops from 
> viruses, Trojans, worms and malicious spyware." (from Vendor's page)
> 
> SAV fails to recognize a keylogger binary after altering a 
> few bytes in a string contained in the program.
> 
> 
> == More Details ==
> 
> During a Penetrationtest, RedTeam wanted to install a 
> keylogger on a victim's system. Klogger (written by Arne 
> Vidstrom, see [1]) was chosen because of its small size, 
> simplicity, and the ability to be executed from the command 
> prompt. Since we knew that SAV was running on the target 
> system, we did a test in our lab at RWTH-Aachen University. 
> This test revealed that SAV would recognize the Klogger 
> binary as malicious and raise alarm.
> 
> In a simplistic attempt to confuse SAV, a few bytes in the 
> Klogger binary (there is no source code available) which 
> belonged to a string containing the author's name where 
> changed with a hex editor. To our astonishment this was 
> enough to foil SAV - no alarms where raised for the modified 
> binary. Apparently the only detection method deployed by SAV 
> for this binary was a hash comparison or something to the same effect.
> 
> Tests with other antivirus programs showed that all of them 
> recognized the binary even after the string alteration. As 
> for SAV, additional tests with more popular malware showed 
> that for these, proper heuristics were used: it was not 
> enough just to change a few bytes with other malware binaries 
> we tested.
> 
> This example shows impressively, how easy some virusscanners 
> can be bypassed. An attacker just has to spend less than one 
> minute to manipulate the keylogger to prevent SAV from 
> detecting the file.
> 
> As keyloggers are more and more used by criminals like 
> phishers to get e.g. online-banking data, it is important 
> that protection software has robust detection mechanisms for 
> malware. Simple circumvention of protection mechanisms could 
> lead to a severe information leakage and compromise of the 
> user. It is not uncommon for malware code to be hex-edited by 
> the entities deploying them or even to change itself, thus 
> potentially circumventing SAV if this practice is used with 
> other malicicous code, too.
> 
> [1] http://ntsecurity.nu/toolbox/klogger/
> 
> == Proof of Concept ==
> 
> Just download klogger and change some bytes.
> 
> == Workaround ==
> 
> Never rely only on your antivirus program, regardless how good it is.
> Those programs can only detect known malware with 100% certainty.
> Unknown but also slightly modified malicious code is only 
> recognized using heuristics, which fail much too often. 
> Always use common sense and don't execute or even open files 
> you don't exactly know where they come from.
> 
> == Fix ==
> 
> None known.
> 
> 
> == Security Risk ==
> 
> As users should not rely only on their antivirus programs (as stated
> above) in the first place, the security risk may be seen as medium.
> 
> 
> == History ==
> 
> 14.04.2005  discovery of SAV's behaviour
> 21.04.2005  additional tests with other programs
> 10.05.2005  advisory is written
> 03.06.2005  contacted Sophos. Answer: the attachement you 
> sent is clean.
>             Eh? Apparently, they sent the attached 
> pgp-signature to their
>             virus-lab... Asked for a security contact. Got back the
>             offer that if we send a file with a virus, they 
> can scan it.
>             Okaaaay, that was not the question, was it? Told them we
>             were short of viruses, sorry. Contact promised
>             to sent the mail to their headquarter in England. Never
>             heard from them again.
> 16.06.2005  Advisory released
> 
> == RedTeam ==
> 
> RedTeam is a penetration testing group working at the 
> Laboratory for Dependable Distributed Systems at RWTH-Aachen 
> University. You can find more Information on the RedTeam 
> Project at http://tsyklon.informatik.rwth-aachen.de/redteam/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ