lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050313055306.52297.qmail@web31509.mail.mud.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: Re: [Private]Multiple AV
	VendorIncorrectCRC32BypassVulnerability.

--- Steve Scholz <steve_scholz@...ari.com> wrote:
> Hi Bipin,
> By design Eicar needs to be the exact string and on
> the first line with nothing else following it. So
> the file is not actually an Eicar I get this with
> advanced zip repair. So now we won't detect this
> because it is not Eicar.
> 
>
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK...
> 
>      ./é0DFµ-ÿ   ÿ   	       .         eicar.comPK..
>    . . 7   k  

"not Eicar" so???     (O; It exactly did what it was
intended to! TRY IT WITH OTHER EXECUDABLES THEN.

In the 'local file header" & "data descriptor" if you
change the compressed size and uncompressed size to
greater than the actual file size there are many AV
that can't scan the file properly. 
Most, unzip utilities will successfully extract such
archive with some garbage data \x00 at the end "255
bytes. (SO DOES THE AV ENGINE)  The garbage data
doesn't *that matter because any malicious code can
"execute without any problem" with still the garbage
at its end. "This will successfully bypass AV
detection even for a known malicious code!"  "MOST OF
THE TIME" if the AV detects the executable comparing
its total checksum! 

(but for effectiveness, FORGE  the crc, first for real
effectiveness)



regards,
bipin gautam
get the updates in this issue at:
http://www.geocities.com/visitbipin/

secunia.com;
> full-disclosure@...ts.grok.org.uk;
> bugtraq@...urityfocus.com
> Subject: [Full-disclosure] Re: [Private]Multiple AV
> VendorIncorrectCRC32BypassVulnerability.
> 
> Steve,
> firstly... thankyou for all your coments.
> 
> > The Antigen_s.zip does not contain a valid Eicar
> > this info when repaired
> > and opened is X5O!P%@AP[4\PZX
> > We did catch it with a file filter.
> > What was your intent with these files?
> 
> OOPS! again my fault!!!
> TRY: http://www.geocities.com/visitbipin/Antigen.zip
> 
> my intension was to show, if the archive has
> compressed size and uncompressed size set to greater
> than the actual file size or less than the actual
> file
> size there are many AV that can't scan the file
> properly.
> 
> send 
> http://www.geocities.com/visitbipin/Antigen.zip
>  to virustotal.com and see for yourself!!!
> 
> Download Accelerator successfully repairs this
> archive
> with some garbage data \x00 at the end "255 bytes"
> Though, i was able to successfully execute eicar.com
> 
> -bipin
> updates at:
> http://www.geocities.com/visitbipin/crc.html
> ___________________My report!_______________________
> This is a report processed by VirusTotal on
> 03/12/2005
> at 18:38:32 (CET) after scanning the file
> "Antigen.zip" file. 
>  
> Antivirus	Version	Update	Result	   
> AntiVir	6.30.0.5 03.11.2005	Eicar-Test-Signature	   
> AVG	718	03.11.2005	EICAR_Test (+187)	   
> BitDefender 7.0	03.12.2005      no virus found	   
> ClamAV	devel-20050307	03.10.2005
> Eicar-Test-Signature	
>   
> DrWeb	4.32b	03.12.2005 no virus found	   
> eTrust-Iris 7.1.194.0 03.12.2005 no virus found	   
> eTrust-Vet 11.7.0.0 03.11.2005 no virus found	   
> Fortinet 2.51	03.11.2005	no virus found	   
> F-Prot	3.16a	03.11.2005	EICAR_Test_File	   
> Ikarus	2.32	03.11.2005	EICAR-ANTIVIRUS-TESTFILE	   
> Kaspersky	4.0.2.24	03.12.2005	EICAR-Test-File	   
> McAfee	4445	03.11.2005	no virus found	   
> NOD32v2	1.1024	03.11.2005	archive damaged	   
> Norman	5.70.10	03.10.2005	no virus found	   
> Panda	8.02.00	03.12.2005	Eicar.Mod	   
> Sybari	7.5.1314 03.12.2005	no virus found	   
> Symantec 8.0	03.11.2005	no virus found	 


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ