[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42B16BD9.1070102@class101.org>
Date: Thu, 16 Jun 2005 14:08:57 +0200
From: class <ad@...ss101.org>
To: patrickhof@....de
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Sophos Antivirus Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
patrickhof@....de a écrit :
> = Advisory: Sophos doesn't recognize keylogger after string
> alteration =
>
> During a Penetrationtest RedTeam found out that Sophos Anti-Virus
> (SAV for short) won't recognize a keylogger as malware, after
> alteration of a string in the keylogger's binary.
>
> == Details ==
>
> Product: Sophos Anti-Virus Affected Version: <= 5.0.2 Immune
> Version: None known OS affected: tested on Win2k, GNU/Linux,
> probably all supported by Sophos Security-Risk: medium
> Remote-Exploit: no Vendor-URL: http://www.sophos.com Vendor-Status:
> informed Advisory-URL:
> http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-013
> Advisory-Status: published
>
> == Introduction ==
>
> "Sophos Anti-Virus provides integrated virus detection on a wide
> range of Windows platforms. Our award-winning technology protects
> corporate servers, desktops and laptops from viruses, Trojans,
> worms and malicious spyware." (from Vendor's page)
>
> SAV fails to recognize a keylogger binary after altering a few
> bytes in a string contained in the program.
>
>
> == More Details ==
>
> During a Penetrationtest, RedTeam wanted to install a keylogger on
> a victim's system. Klogger (written by Arne Vidstrom, see [1]) was
> chosen because of its small size, simplicity, and the ability to be
> executed from the command prompt. Since we knew that SAV was
> running on the target system, we did a test in our lab at
> RWTH-Aachen University. This test revealed that SAV would recognize
> the Klogger binary as malicious and raise alarm.
>
> In a simplistic attempt to confuse SAV, a few bytes in the Klogger
> binary (there is no source code available) which belonged to a
> string containing the author's name where changed with a hex
> editor. To our astonishment this was enough to foil SAV - no alarms
> where raised for the modified binary. Apparently the only detection
> method deployed by SAV for this binary was a hash comparison or
> something to the same effect.
>
> Tests with other antivirus programs showed that all of them
> recognized the binary even after the string alteration. As for SAV,
> additional tests with more popular malware showed that for these,
> proper heuristics were used: it was not enough just to change a
> few bytes with other malware binaries we tested.
>
> This example shows impressively, how easy some virusscanners can be
> bypassed. An attacker just has to spend less than one minute to
> manipulate the keylogger to prevent SAV from detecting the file.
>
> As keyloggers are more and more used by criminals like phishers to
> get e.g. online-banking data, it is important that protection
> software has robust detection mechanisms for malware. Simple
> circumvention of protection mechanisms could lead to a severe
> information leakage and compromise of the user. It is not uncommon
> for malware code to be hex-edited by the entities deploying them
> or even to change itself, thus potentially circumventing SAV if
> this practice is used with other malicicous code, too.
>
> [1] http://ntsecurity.nu/toolbox/klogger/
>
> == Proof of Concept ==
>
> Just download klogger and change some bytes.
>
> == Workaround ==
>
> Never rely only on your antivirus program, regardless how good it
> is. Those programs can only detect known malware with 100%
> certainty. Unknown but also slightly modified malicious code is
> only recognized using heuristics, which fail much too often. Always
> use common sense and don't execute or even open files you don't
> exactly know where they come from.
>
> == Fix ==
>
> None known.
>
>
> == Security Risk ==
>
> As users should not rely only on their antivirus programs (as
> stated above) in the first place, the security risk may be seen as
> medium.
>
>
> == History ==
>
> 14.04.2005 discovery of SAV's behaviour 21.04.2005 additional
> tests with other programs 10.05.2005 advisory is written
> 03.06.2005 contacted Sophos. Answer: the attachement you sent is
> clean. Eh? Apparently, they sent the attached pgp-signature to
> their virus-lab... Asked for a security contact. Got back the offer
> that if we send a file with a virus, they can scan it. Okaaaay,
> that was not the question, was it? Told them we were short of
> viruses, sorry. Contact promised to sent the mail to their
> headquarter in England. Never heard from them again. 16.06.2005
> Advisory released
>
> == RedTeam ==
>
> RedTeam is a penetration testing group working at the Laboratory
> for Dependable Distributed Systems at RWTH-Aachen University. You
> can find more Information on the RedTeam Project at
> http://tsyklon.informatik.rwth-aachen.de/redteam/
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
This is not really a vulnerablity but more a lack of detection on this
malware, because try to do the same with hackdefender, sophos and
kaspersky are much advanced than the others AV to detect it, believe
me, I got it undetected with your method on almost all av , instead of
sophos and kaspersky using some signature that if you mod, you break
the program , nor yu should understand some asm.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFCsWvVLyZ8K9aT7rARAkRRAKC6vP8EG/o1QX2Ss2L5d8u+9C+m9wCgp3BN
i1uiKZyFy21TGUs/VbulY08=
=xRt7
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists