[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9E97F0997FB84D42B221B9FB203EFA2701008183@dc1ms2.msad.brookshires.net>
Date: Thu Jun 16 17:48:26 2005
From: toddtowles at brookshires.com (Todd Towles)
Subject: Sophos Antivirus Advisory
Robert, MW and class are right. This is a general problem of all
sig-based AV systems. It has been covered on this list and many other
places I am sure. You should report this to Sophos, but only because you
were using Sophos in your test. To report it here as a Sophos vuln,
isn't fair to Sophos IMHO. But that is just my 2 cents.
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf
> Of patrickhof@....de
> Sent: Thursday, June 16, 2005 6:54 AM
> To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Sophos Antivirus Advisory
>
> = Advisory: Sophos doesn't recognize keylogger after string
> alteration =
>
> During a Penetrationtest RedTeam found out that Sophos
> Anti-Virus (SAV for short) won't recognize a keylogger as
> malware, after alteration of a string in the keylogger's binary.
>
> == Details ==
>
> Product: Sophos Anti-Virus
> Affected Version: <= 5.0.2
> Immune Version: None known
> OS affected: tested on Win2k, GNU/Linux, probably all supported by
> Sophos
> Security-Risk: medium
> Remote-Exploit: no
> Vendor-URL: http://www.sophos.com
> Vendor-Status: informed
> Advisory-URL:
> http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt
> -sa-2005-013
> Advisory-Status: published
>
> == Introduction ==
>
> "Sophos Anti-Virus provides integrated virus detection on a
> wide range of Windows platforms. Our award-winning technology
> protects corporate servers, desktops and laptops from
> viruses, Trojans, worms and malicious spyware." (from Vendor's page)
>
> SAV fails to recognize a keylogger binary after altering a
> few bytes in a string contained in the program.
>
>
> == More Details ==
>
> During a Penetrationtest, RedTeam wanted to install a
> keylogger on a victim's system. Klogger (written by Arne
> Vidstrom, see [1]) was chosen because of its small size,
> simplicity, and the ability to be executed from the command
> prompt. Since we knew that SAV was running on the target
> system, we did a test in our lab at RWTH-Aachen University.
> This test revealed that SAV would recognize the Klogger
> binary as malicious and raise alarm.
>
> In a simplistic attempt to confuse SAV, a few bytes in the
> Klogger binary (there is no source code available) which
> belonged to a string containing the author's name where
> changed with a hex editor. To our astonishment this was
> enough to foil SAV - no alarms where raised for the modified
> binary. Apparently the only detection method deployed by SAV
> for this binary was a hash comparison or something to the same effect.
>
> Tests with other antivirus programs showed that all of them
> recognized the binary even after the string alteration. As
> for SAV, additional tests with more popular malware showed
> that for these, proper heuristics were used: it was not
> enough just to change a few bytes with other malware binaries
> we tested.
>
> This example shows impressively, how easy some virusscanners
> can be bypassed. An attacker just has to spend less than one
> minute to manipulate the keylogger to prevent SAV from
> detecting the file.
>
> As keyloggers are more and more used by criminals like
> phishers to get e.g. online-banking data, it is important
> that protection software has robust detection mechanisms for
> malware. Simple circumvention of protection mechanisms could
> lead to a severe information leakage and compromise of the
> user. It is not uncommon for malware code to be hex-edited by
> the entities deploying them or even to change itself, thus
> potentially circumventing SAV if this practice is used with
> other malicicous code, too.
>
> [1] http://ntsecurity.nu/toolbox/klogger/
>
> == Proof of Concept ==
>
> Just download klogger and change some bytes.
>
> == Workaround ==
>
> Never rely only on your antivirus program, regardless how good it is.
> Those programs can only detect known malware with 100% certainty.
> Unknown but also slightly modified malicious code is only
> recognized using heuristics, which fail much too often.
> Always use common sense and don't execute or even open files
> you don't exactly know where they come from.
>
> == Fix ==
>
> None known.
>
>
> == Security Risk ==
>
> As users should not rely only on their antivirus programs (as stated
> above) in the first place, the security risk may be seen as medium.
>
>
> == History ==
>
> 14.04.2005 discovery of SAV's behaviour
> 21.04.2005 additional tests with other programs
> 10.05.2005 advisory is written
> 03.06.2005 contacted Sophos. Answer: the attachement you
> sent is clean.
> Eh? Apparently, they sent the attached
> pgp-signature to their
> virus-lab... Asked for a security contact. Got back the
> offer that if we send a file with a virus, they
> can scan it.
> Okaaaay, that was not the question, was it? Told them we
> were short of viruses, sorry. Contact promised
> to sent the mail to their headquarter in England. Never
> heard from them again.
> 16.06.2005 Advisory released
>
> == RedTeam ==
>
> RedTeam is a penetration testing group working at the
> Laboratory for Dependable Distributed Systems at RWTH-Aachen
> University. You can find more Information on the RedTeam
> Project at http://tsyklon.informatik.rwth-aachen.de/redteam/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists