Bugtraq mailing list archives

Re: Bypass Virus Checking

From: neil () BORTNAK COM (Neil Bortnak)
Date: Wed, 2 Feb 2000 10:27:49 -0800


Hi everyone,

I have received many reports from people telling me if they were
vulnerable or not. Here's what I have so far:

Vulnerable:

Virus Scan 4050 Defs: 4062
NAV 5.01.01c Defs: 012400
NAV Version lost
NAV Version lost
NAV2k 2000.00.02 Defs: 12400

Not Vulnerable:

NAV 5.00.01c 012400 (Win 98)
NAV 5.0 011500 (NT4)
NAV 4.x (NT4)
NAV 5.02.04 Defs: 012400 (Win95)
VET 10.1.7.1
F-Secure AVW 4.05 F-PROT: 3.04.825 Defs: 12/19/99
AVP Undisclosed version

What I'm inferring from this is that Virus Scan is vulnerable all the
time, NAV once in a while and no one else is really affected. Why NAV is
only affected sometimes may have been answered by a Edward Salm from
IBM's Emergency Virus Response Service. He said, "The reason I mentioned
the other eicar.com is I noticed NAV on my test machine wouldn't detect
your version of eicar.com unless bloodhound was activated!  When I
turned bloodhound heuristics off (even though autoprotect was sill
running), I could put your eicar.com anywhere on the drive!" Doesn't
that give you a good pointer. Bloodhound seems pretty important. It's
also possible that bloodhound ignores the default exclusions. I have a
contact at SARC whom I'll ask about this and let you all know the
response. Oh, and in case you're wondering, there was only a difference
of one byte between our copies of EICAR.COM. Mine terminated in an <LF>,
Ed's in a <CR><LF>.

Here's an idea. The statement by McAfee that they can't go looking for
XORed files because it's not feasible got me thinking. It seems to me
that it's not feasible because it would take too long. People would be
annoyed at 2 second waits for their files to open and whatnot. Now, I'm
no AV expert and some even may work like this, but here's what I came up
with. An AV checker could do a real hard look at a file, doing whatever
it needed to be really thorough with the file (I understand that
breaking XOR programmatically is pretty straight forward). It would then
the store an MD5 hash for that file in an index. Whenever it needed to
scan a file, it would just compare hashes (which is quick), and only
re-scan the files if they had been changed. Special handling would
probably be needed for data files as they get changed all the time, but
overall it seems reasonable to me. I'd also think that AV scanners could
do more advanced scans in the background with CPU idle cycles. There are
a LOT of spare cycles on the average desktop.

Thanks for the great responses everyone,

Neil Bortnak
InfoSec & Linux Consulting
www.bortnak.com

P.S. Avoid sending attachments to the list. You get tons of bounce mail
and your message won't show up properly (at all) in the archive.

Current thread:

Re: recent 'cross site scripting' CERT advisory, (continued)
- - - Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
    - Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
    - Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
    - Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
    - Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
    - Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
    - Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)
  - Re: Bypass Virus Checking minus (Feb 03)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Re: Bypass Virus Checking Uwe Schurig (Feb 02)
- Re: Bypass Virus Checking Neil Bortnak (Feb 02)
  - Re: Bypass Virus Checking Nick FitzGerald (Feb 03)
- Re: Bypass Virus Checking Winkelmann, Brian (Feb 02)
- Re: Bypass Virus Checking Kuo, Jimmy (Feb 02)
- Re: Bypass Virus Checking Eric D. Williams (Feb 03)
  - Zeus Web Server: Null Terminated Strings Julian Midgley (Feb 08)
  - Re: Bypass Virus Checking Paul L Schmehl (Feb 08)
- Re: Bypass Virus Checking David Harley (Feb 03)
- Re: Bypass Virus Checking Max Vision (Feb 04)