[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0503151337140.14200@workstation3.wi.securepipe.com>
From: mjp-bugtraq at securepipe.com (Michael J. Pomraning)
Subject: Re: Unfiltered escape sequences in filenames
contained in ZIP archives
wouldn't be escaped on displaying or logging, and can also lead to bypass
AV scanning
On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:
> during investigation of Sober.l we got the idea to replace the spaces of a
> filename contained in the ZIP archive by some escape sequences.
>
[...]
>
> Also we found that at least 2 AV scan programs from 2 vendors do not detect
> the virus inside and report "clean" instead.
I think Sophos passes the test. I find that the underlying API (as exposed
by a python wrapper) is able to detect the viruses in all cases. For the
command line "sweep" utility, try adding the "-all" switch to your
invocation:
$ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip
>>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com
$ md5sum unfiltered-escape-sequences-in-filename-eicar.zip
38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip
This is using engine 2.28.4, as in your tests. The consituent filenames are
escaped before being displayed, too (sadly excepting ASCII BEL).
Regards,
Mike
Powered by blists - more mailing lists