[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050315172916.GQ1645@suespammers.org>
From: rodrigob at suespammers.org (Rodrigo Barbosa)
Subject: Unfiltered escape sequences in filenames
contained in ZIP archives wouldn't be escaped on displaying or
logging, and can also lead to bypass AV scanning
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote:
> >I STIL FIND IT happy to
> >see there are lot of AV out there that cant scan such
> >file properly to detect virus.
>
> The problem must be located in the unzip engine:
>
> We've created a mixed ZIP now:
>
> # unzip -l mixed-eicar.zip
> Archive: mixed-eicar.zip
> Length Date Time Name
> -------- ---- ---- ----
> 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER
> ATTACK^[[2;25m^[[22;30m^[[3q.txt
> 308 03-10-05 12:00 eicarcom2.zip
> -------- -------
> 616 2 files
>
>
> BTW: note here that "unzip" displays the escape sequences very proper!
>
> Available here:
> <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>
>
> Some AV software detect the virus only in second part of the ZIP file, so
> it looks like the first one is really skipped and not analysed.
F-Prot seems to detect it correctly:
VIRUS SIGNATURE FILES
SIGN.DEF created 13 March 2005
SIGN2.DEF created 13 March 2005
MACRO.DEF created 11 March 2005
Search: mixed-eicar.zip
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER
/home/rodrigob/tmp/mixed-eicar.zip->Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt->eicar_c->eicar.com Infection: EICAR_Test_File
/home/rodrigob/tmp/mixed-eicar.zip->eicarcom2.zip->eicar_com.zip->eicar.com Infection: EICAR_Test_File
Results of virus scanning:
Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 7
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0
Time: 0:00
- --
Rodrigo Barbosa <rodrigob@...spammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCNxtspdyWzQ5b5ckRApEcAKCHZTlzib/lH7LUjpL/FqEOtSsyegCfbW1a
BSjnssdy4iIBXZyEcv/JF1Q=
=M4rV
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists