lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040615113937.72255.qmail@web20225.mail.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: Re: Multiple Antivirus Scanners DoS attack.

--- Shashank Rai <shash@...salat-nis.ae> wrote:
> On a Fedora Core-2 box.....
> 
> Virus scanning report  -  15 June 2004 @ 7:50
> 
> F-PROT ANTIVIRUS
> Program version: 4.4.2
> Engine version: 3.14.11
> 
> VIRUS SIGNATURE FILES
> SIGN.DEF created 12 June 2004
> SIGN2.DEF created 12 June 2004
> MACRO.DEF created 7 June 2004
> 
> Search: /home/shash/tmp/SERVER_dwn.zip
> Action: Report only
> Files: "Dumb" scan of all files
> Switches: -ARCHIVE -PACKED -SERVER
> 
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->1/~.cab->0.cab->cab.com
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->1/~.zip->bipin.zip
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->2/~.cab->0.cab->cab.com
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->2/~.zip->bipin.zip
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->3/~.cab->0.cab->cab.com
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->3/~.zip->bipin.zip
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->4/~.cab->0.cab->cab.com
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->4/~.zip->bipin.zip
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->5/~.cab->0.cab->cab.com
> 
> Infection: EICAR_Test_File
>
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->5/~.zip->bipin.zip
> 
> Infection: EICAR_Test_File
> 
> Results of virus scanning:
> 
> Files: 1
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 657
> Infected: 10
> Suspicious: 0
> Disinfected: 0
> Deleted: 0
> Renamed: 0
> 
> Time: 1:13
> 
> 
> f-prot vulnerable?????
> 


Moreover, If you download such archives from an
internet loaction, or 'copy/paste' such files from a
distination. Those Vulnerable "Antivirus Softwares"
with their auto-protect engines active, may also
trigger a DoS.

There have been reports in some discussion fourms,

*Panda Antivirus
*Norton AV Corporate Ed. (version 7.60.926)
*MacAfee uvscan scan for Linux (4.3.20)
*DrWeb (http://www.drweb.ru/)
*AVG v7.0.251
*ClamAV version 0.07, 0.72   <--- please confirm this!
*eTrust InoculateIT version 6.0


   Are vulnerable.


*F-Prot 4.4.2 for Linux did took considerable amount
of time  [avg: 90 seconds] while scanning the file,
there have been conflicting report... whether or not,
F-Prot is vulnerable. But a VA software that takes so
long to scan just a 15 kb file...... is a strange
behavior. I'll personally call, it vulnerable... cauz
a DoS could likely be triggered.


You can get updates of this advisory at,
http://www.geocities.com/visitbipin/Multiple_AV_DoS.html

Regards,

Bipin Gautam
http://www.geocities.com/visitbipin/




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ