lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44D7A416.9080509@utdallas.edu>
Date: Mon, 07 Aug 2006 15:35:34 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: Bipin Gautam <gautam.bipin@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: when will AV vendors fix this???

Bipin Gautam wrote:
> hello list,
> 
> This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan
> scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE
> THAN 1 YEAR OLD stuff but i see no fix till now!!!!
> 
> lately i've ONLY tested it on the following AV & few other spyware
> scanner & saw its still NOT fixed!
> 
> Kaspersky Anti-Virus 6.x (latest)
> BitDefender 9 Professional Plus (latest)
> NOD32 (latest)
> 
> OS tested: WINxp sp2
> 
> to keep things simple, let me give you a situation;
> 
> if there is a directory/file a EVIL_USER is willing to hide from
> antivirus scanner all he has to do is fire up a command prompt & run
> the command;
> 
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
> 
> 
> next time EVEN when the administrator starts the antivirus "system
> scan" the TORJANED_FILE_OR_DIRECTORY_NAME   will be effectively
> bypassed as the ownership of the directory is just of the user account
> named; EVIL_USER and the antivirus "manual scan" is running just with
> the privilage of ADMINISTRATOR
> 
This is similar to the problem of alternative data streams. 
Essentially, the work needed to solve this problem isn't worth the 
expenditure of time and effort, because the file, in order to infect the 
system, has to be executed.  Once the file is executed "normal" 
on-access scanning will catch the exploit *if* it is known.  (If it's 
unknown, it doesn't matter anyway.)  Yes, on-demand scanning won't "see" 
the file, but even malicious files are benign until they are run.

-- 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5268 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ