Full Disclosure mailing list archives
Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
From: trains () doctorunix com
Date: Tue, 25 Oct 2005 09:43:43 -0500
Quoting Andrey Bayora <andrey () securityelf org>:
Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte. AUTHOR: Andrey Bayora (www.securityelf.org) Some file types like .bat, .html and .eml can be properly executed even if they have some "unrelated" beginning. For example, in the case of .BAT files - it is possible to prepend some "junk" data at the beginning of the file without altering correct execution of the batch file. In my tests, I used the calc.exe headers (first 120 bytes - middle of the dosstub section) to change 5 different files of existing viruses. In addition, the simplest test of this vulnerability is to prepend only the magic byte (MZ) to the existing malicious file and check if this file is detected by antivirus program.
I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to avoid this type of problem. This may sound like a plug for Paul Daniels' work, but since it's OSS, why not?
inflex features pedantic scanning, wherein it will reject an email attachment if the file name matches a regex [OR] the attachment gets a hit by your AV scanner [OR] any number of other conditions.
This finding certainly makes the case for layering security. t ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services () doctorunix com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte Andrey Bayora (Oct 24)
- Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte trains (Oct 25)
- RE: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Debasis Mohanty (Oct 25)
- Message not available
- Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Eygene A. Ryabinkin (Oct 27)
- <Possible follow-ups>
- Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte Williams, James K (Oct 27)
- Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte x (Oct 27)