| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050313053240.13642.qmail@web31502.mail.mud.yahoo.com> From: visitbipin at yahoo.com (bipin gautam) Subject: Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability. --- Steve Scholz <steve_scholz@...ari.com> wrote: > Hi Bipin, > By design Eicar needs to be the exact string and on > the first line with nothing else following it. So > the file is not actually an Eicar I get this with > advanced zip repair. So now we won't detect this > because it is not Eicar. > > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK... > > ./é0DFµ-ÿ ÿ . eicar.comPK.. > . . 7 k "not Eicar" so??? (O; It exactly did what it was intended to! TRY IT WITH OTHER EXECUDABLES THEN. In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to greater than the actual file size there are many AV that can't scan the file properly. Most, unzip utilities will successfully extract such archive with some garbage data \x00 at the end "255 bytes. (SO DOES THE AV ENGINE) The garbage data doesn't *that matter because any malicious code can "execute without any problem" with still the garbage at its end. "This will successfully bypass AV detection even for a known malicious code!" Isn't it??? (but for effectiveness, FORGE the crc, first for real effectiveness) regards, bipin gautam get the updates in this issue at: http://www.geocities.com/visitbipin/ secunia.com; > full-disclosure@...ts.grok.org.uk; > bugtraq@...urityfocus.com > Subject: [Full-disclosure] Re: [Private]Multiple AV > VendorIncorrectCRC32BypassVulnerability. > > Steve, > firstly... thankyou for all your coments. > > > The Antigen_s.zip does not contain a valid Eicar > > this info when repaired > > and opened is X5O!P%@AP[4\PZX > > We did catch it with a file filter. > > What was your intent with these files? > > OOPS! again my fault!!! > TRY: http://www.geocities.com/visitbipin/Antigen.zip > > my intension was to show, if the archive has > compressed size and uncompressed size set to greater > than the actual file size or less than the actual > file > size there are many AV that can't scan the file > properly. > > send > http://www.geocities.com/visitbipin/Antigen.zip > to virustotal.com and see for yourself!!! > > Download Accelerator successfully repairs this > archive > with some garbage data \x00 at the end "255 bytes" > Though, i was able to successfully execute eicar.com > > -bipin > updates at: > http://www.geocities.com/visitbipin/crc.html > ___________________My report!_______________________ > This is a report processed by VirusTotal on > 03/12/2005 > at 18:38:32 (CET) after scanning the file > "Antigen.zip" file. > > Antivirus Version Update Result > AntiVir 6.30.0.5 03.11.2005 Eicar-Test-Signature > AVG 718 03.11.2005 EICAR_Test (+187) > BitDefender 7.0 03.12.2005 no virus found > ClamAV devel-20050307 03.10.2005 > Eicar-Test-Signature > > DrWeb 4.32b 03.12.2005 no virus found > eTrust-Iris 7.1.194.0 03.12.2005 no virus found > eTrust-Vet 11.7.0.0 03.11.2005 no virus found > Fortinet 2.51 03.11.2005 no virus found > F-Prot 3.16a 03.11.2005 EICAR_Test_File > Ikarus 2.32 03.11.2005 EICAR-ANTIVIRUS-TESTFILE > Kaspersky 4.0.2.24 03.12.2005 EICAR-Test-File > McAfee 4445 03.11.2005 no virus found > NOD32v2 1.1024 03.11.2005 archive damaged > Norman 5.70.10 03.10.2005 no virus found > Panda 8.02.00 03.12.2005 Eicar.Mod > Sybari 7.5.1314 03.12.2005 no virus found > Symantec 8.0 03.11.2005 no virus found __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Powered by blists - more mailing lists