| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2005 14:08:57 +0200 From: class <ad@...ss101.org> To: patrickhof@....de Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Sophos Antivirus Advisory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 patrickhof@....de a écrit : > = Advisory: Sophos doesn't recognize keylogger after string > alteration = > > During a Penetrationtest RedTeam found out that Sophos Anti-Virus > (SAV for short) won't recognize a keylogger as malware, after > alteration of a string in the keylogger's binary. > > == Details == > > Product: Sophos Anti-Virus Affected Version: <= 5.0.2 Immune > Version: None known OS affected: tested on Win2k, GNU/Linux, > probably all supported by Sophos Security-Risk: medium > Remote-Exploit: no Vendor-URL: http://www.sophos.com Vendor-Status: > informed Advisory-URL: > http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-013 > Advisory-Status: published > > == Introduction == > > "Sophos Anti-Virus provides integrated virus detection on a wide > range of Windows platforms. Our award-winning technology protects > corporate servers, desktops and laptops from viruses, Trojans, > worms and malicious spyware." (from Vendor's page) > > SAV fails to recognize a keylogger binary after altering a few > bytes in a string contained in the program. > > > == More Details == > > During a Penetrationtest, RedTeam wanted to install a keylogger on > a victim's system. Klogger (written by Arne Vidstrom, see [1]) was > chosen because of its small size, simplicity, and the ability to be > executed from the command prompt. Since we knew that SAV was > running on the target system, we did a test in our lab at > RWTH-Aachen University. This test revealed that SAV would recognize > the Klogger binary as malicious and raise alarm. > > In a simplistic attempt to confuse SAV, a few bytes in the Klogger > binary (there is no source code available) which belonged to a > string containing the author's name where changed with a hex > editor. To our astonishment this was enough to foil SAV - no alarms > where raised for the modified binary. Apparently the only detection > method deployed by SAV for this binary was a hash comparison or > something to the same effect. > > Tests with other antivirus programs showed that all of them > recognized the binary even after the string alteration. As for SAV, > additional tests with more popular malware showed that for these, > proper heuristics were used: it was not enough just to change a > few bytes with other malware binaries we tested. > > This example shows impressively, how easy some virusscanners can be > bypassed. An attacker just has to spend less than one minute to > manipulate the keylogger to prevent SAV from detecting the file. > > As keyloggers are more and more used by criminals like phishers to > get e.g. online-banking data, it is important that protection > software has robust detection mechanisms for malware. Simple > circumvention of protection mechanisms could lead to a severe > information leakage and compromise of the user. It is not uncommon > for malware code to be hex-edited by the entities deploying them > or even to change itself, thus potentially circumventing SAV if > this practice is used with other malicicous code, too. > > [1] http://ntsecurity.nu/toolbox/klogger/ > > == Proof of Concept == > > Just download klogger and change some bytes. > > == Workaround == > > Never rely only on your antivirus program, regardless how good it > is. Those programs can only detect known malware with 100% > certainty. Unknown but also slightly modified malicious code is > only recognized using heuristics, which fail much too often. Always > use common sense and don't execute or even open files you don't > exactly know where they come from. > > == Fix == > > None known. > > > == Security Risk == > > As users should not rely only on their antivirus programs (as > stated above) in the first place, the security risk may be seen as > medium. > > > == History == > > 14.04.2005 discovery of SAV's behaviour 21.04.2005 additional > tests with other programs 10.05.2005 advisory is written > 03.06.2005 contacted Sophos. Answer: the attachement you sent is > clean. Eh? Apparently, they sent the attached pgp-signature to > their virus-lab... Asked for a security contact. Got back the offer > that if we send a file with a virus, they can scan it. Okaaaay, > that was not the question, was it? Told them we were short of > viruses, sorry. Contact promised to sent the mail to their > headquarter in England. Never heard from them again. 16.06.2005 > Advisory released > > == RedTeam == > > RedTeam is a penetration testing group working at the Laboratory > for Dependable Distributed Systems at RWTH-Aachen University. You > can find more Information on the RedTeam Project at > http://tsyklon.informatik.rwth-aachen.de/redteam/ > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ This is not really a vulnerablity but more a lack of detection on this malware, because try to do the same with hackdefender, sophos and kaspersky are much advanced than the others AV to detect it, believe me, I got it undetected with your method on almost all av , instead of sophos and kaspersky using some signature that if you mod, you break the program , nor yu should understand some asm. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCsWvVLyZ8K9aT7rARAkRRAKC6vP8EG/o1QX2Ss2L5d8u+9C+m9wCgp3BN i1uiKZyFy21TGUs/VbulY08= =xRt7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists