lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <476668061.20051027200748@Sniff-em.com>
Date: Thu Oct 27 19:07:58 2005
From: Thierry at sniff-em.com (Thierry Zoller)
Subject: Re: Multiple Vendor Anti-Virus Software
	Detection Evasion Vulnerability through forged magic byte

Dear James,

WJK> You are effectively altering existing viruses to the point that
WJK> AV scanners do not detect them.
No, he is changing a few bytes only.

WJK>  If your altered virus sample
WJK> still executes correctly, you have simply created a new virus 
WJK> variant.
No, there is no variant, the virus executes EXACTLY as before. A
variant acts differenlty then a precedent version, else it would be no
variant. To your AV engine it is a variant, yes, but only because it is flawed.

WJK> Consequently, the issue that you describe is *not* a
WJK> vulnerability issue, but rather just an example of a new variant
WJK> that has not yet been added to an AV vendor's database of "known
WJK> viruses".

Thank you James, this _to my knowledge_ (perhaps the guy from vmyths
knows better) is the first time the complete failure of todays AV
solutions is shown naked publicaly directly by a representant of an
AV company. This statement coming from a AV vendor is
simply exposing what is known in the sec. community since many years.

Instead of beahviour analysis, most AV vendors choose uterly stupid
PE section fingerprints, defeated by adding a few bytes. Go figure. of
course this is no vulnerability, it's a feature!

My theory on this is simple :
- ALL files can't be analysed the same way by AV engines (due to speed
  issues) (In other words not all analysis/fingerpritns is applied to
  every file)
  
The solution was to make the engines a bit "smarter", i.e analyse the
header to determine the type and then ONLY apply the signatures/heuristics
which apply to the type of the file (i am not speaking about the extension
of the file here) thus speeding up the process. Changing the header
just makes the smart engines look...well...  a bit dumb in my regards.

-- 
Regards,
Thierry Zoller
http://thierry.sniff-em.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ