Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte

[trains () doctorunix com]

Quoting Andrey Bayora <andrey () securityelf org>:

> Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
> forged magic byte.
> AUTHOR: Andrey Bayora (www.securityelf.org)
>
> Some file types like .bat, .html and .eml can be properly executed even if
> they have some "unrelated" beginning. For example, in the case of .BAT
> files - it is possible to prepend some "junk" data at the beginning of the
> file without altering correct execution of the batch file. In my tests, I
> used the calc.exe headers (first 120 bytes - middle of the dosstub section)
> to change 5 different files of existing viruses. In addition, the simplest
> test of this vulnerability is to prepend only the magic byte (MZ) to the
> existing malicious file and check if this file is detected by antivirus
> program.

I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to 
avoid this type of problem.   This may sound like a plug for Paul 
Daniels' work, but since it's OSS, why not?

inflex features pedantic scanning, wherein it will reject an email 
attachment if the file name matches a regex [OR] the attachment gets a 
hit by your AV scanner [OR] any number of other conditions.

This finding certainly makes the case for layering security.

t

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services () doctorunix com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/