| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Oct 25 15:44:25 2005 From: trains at doctorunix.com (trains@...torunix.com) Subject: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte Quoting Andrey Bayora <andrey@...urityelf.org>: > Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through > forged magic byte. > AUTHOR: Andrey Bayora (www.securityelf.org) > > Some file types like .bat, .html and .eml can be properly executed even if > they have some "unrelated" beginning. For example, in the case of .BAT > files - it is possible to prepend some "junk" data at the beginning of the > file without altering correct execution of the batch file. In my tests, I > used the calc.exe headers (first 120 bytes - middle of the dosstub section) > to change 5 different files of existing viruses. In addition, the simplest > test of this vulnerability is to prepend only the magic byte (MZ) to the > existing malicious file and check if this file is detected by antivirus > program. I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to avoid this type of problem. This may sound like a plug for Paul Daniels' work, but since it's OSS, why not? inflex features pedantic scanning, wherein it will reject an email attachment if the file name matches a regex [OR] the attachment gets a hit by your AV scanner [OR] any number of other conditions. This finding certainly makes the case for layering security. t ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services@...torunix.com
Powered by blists - more mailing lists