funsec mailing list archives

RE: Overloading AV software, was Question about Viruses

From: "Richard M. Smith" <rms () bsf-llc com>
Date: Fri, 7 Jul 2006 14:13:24 -0400

Regardless of how difficult it might be to put a virus signature into an
image file, one should be able to create a Web page which downloads hundreds
of small files which cause an false alarms to be trigger by an AV software
package, right?  Besides my little VBScript file, one could use real virus
files that are downloaded via an <img src=> tag.

BTW, my VBScript file is triggering some sort of Bloodhound signature.  I've
seen similar Bloodhound warnings for WMF files.

Here's my VBScript code which is very generic:

rem
rem      Library of VBScript helper functions which can be called from
JavaScript
rem 

Function VBSByteArray2String(BA)
        Dim j, n
        n = UBound(BA) + 1
        Execute "Dim a(" & CStr(n) & ")"   ' Isn't there any easier way to
create a dynamic array in VBSCript?
        BA = Midb(BA, 1, n)                ' Without this useless midb call,
this function runs very slow
        For j = 1 to n
                a(j - 1) = ChrW(Ascb(Midb(BA, j, 1)))   'ChrW is very
important
        Next
        VBSByteArray2String = Join(a, "")
End Function

Function VBSEval(expr)
        VBSEval = eval(expr)
End Function

Function VBSArrayLen(a)
        VBSArrayLen = UBound(a) + 1
End Function

Function VBSTypeName(a)
        VBSTypeName = TypeName(a)
End Function

Function VBSVarType(a)
        VBSVarType = VarType(a)
End Function

Function VBSFormatDateTime(d, format)
        VBSFormatDateTime = FormatDateTime(d, format)
End Function    

Function VBSVerno
   Dim s
   s = ""   
   s = s & ScriptEngineMajorVersion & "."
   s = s & ScriptEngineMinorVersion & "."
   s = s & ScriptEngineBuildVersion
   VBSVerno = s   
End Function

Function VBSGetLocale
        VBSGetLocale = GetLocale()
End Function

Function VBSTimeSplit(time)
        VBStimeSplit = Array(Year(time), Month(time), Day(time), Hour(time),
Minute(time), Second(time))
End Function



Richard

-----Original Message-----
From: Drsolly [mailto:drsollyp () drsolly com] 
Sent: Friday, July 07, 2006 2:00 PM
To: Richard M. Smith
Cc: 'FunSec LList'
Subject: RE: [funsec] Overloading AV software, was Question about Viruses

On Fri, 7 Jul 2006, Richard M. Smith wrote:

But for the most part massimo is right, it's a dumb strategy


Hmm, what if the bad guys overloaded a user with virus warning messages as

stratergy to get people to turn off their AV software.  For example, could

Web page download a few hundred image files with known virus signatures
tacked on the end of each file in order to make AV software go nuts?

Could

the same trick be used in an HTML email message?


You have a fundamental (and very common) misunderstanding about "virus 
signatures".

I can only talk authoritatively about my AV software design, but I think 
most AV software today works in a similar way.

So. The problem is, you think there's something called a "virus 
signature". There is, indeed, an "Alan Solomon" signature, I write it on 
cheques and suchlike, and it's pretty much the same each time I write it, 
and you can reognise that it's my signature. 

But there is no similar "virus signature". What there is, is a sequence of 
bytes chosen from the body of the virus, that the AV uses to determine 
whether the virus is present or not.

1) Different AV products will choose different sequences as the thing 
they're looking for.

2) Certainly the AV I wrote (and it still works this way today), and (I 
think) most other AV products, only look for that byte sequence, in the 
place(s) that it would have to be if the file is infected. So, if you 
append that byte-sequence to the end of the file, the AV will, correctly, 
say that the file is not infected.

So, your idea won't work.

I already have an HTML application that is triggering false positives in
Symantec because Symantec thinks a bit of VBScript code I wrote is a
malicious code.


That's a false alarm. Send Symantec the code you wrote, explain that it's 
generating false alarms, and wait for them to fix their product.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
  - RE: Question about Viruses Larry Seltzer (Jul 07)
    - RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
    - RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
    - RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
    - Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Re: Question about Viruses Drsolly (Jul 07)
    - Re: Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
    - Re: Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Re: Question about Viruses Drsolly (Jul 07)
    - Re: Re: Question about Viruses Dude VanWinkle (Jul 08)

(Thread continues...)