lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20051025094343.0whtl4orxhm8sgcs@mail.doctorunix.com>
Date: Tue Oct 25 15:44:25 2005
From: trains at doctorunix.com (trains@...torunix.com)
Subject: Multiple Vendor Anti-Virus Software
	Detection Evasion Vulnerability through forged magic byte

Quoting Andrey Bayora <andrey@...urityelf.org>:

> Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
> forged magic byte.
> AUTHOR: Andrey Bayora (www.securityelf.org)
>
> Some file types like .bat, .html and .eml can be properly executed even if
> they have some "unrelated" beginning. For example, in the case of .BAT
> files - it is possible to prepend some "junk" data at the beginning of the
> file without altering correct execution of the batch file. In my tests, I
> used the calc.exe headers (first 120 bytes - middle of the dosstub section)
> to change 5 different files of existing viruses. In addition, the simplest
> test of this vulnerability is to prepend only the magic byte (MZ) to the
> existing malicious file and check if this file is detected by antivirus
> program.

I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to 
avoid this type of problem.   This may sound like a plug for Paul 
Daniels' work, but since it's OSS, why not?

inflex features pedantic scanning, wherein it will reject an email 
attachment if the file name matches a regex [OR] the attachment gets a 
hit by your AV scanner [OR] any number of other conditions.

This finding certainly makes the case for layering security.

t

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services@...torunix.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ