Re: Multiple Antivirus Scanners DoS attack.

[Yosif Sleman <sleman () compranet gob mx>]

Solaris 8 box with Virus Scan for Solaris 4.32.0, engine 4.3.20 and data 
file 4366 takes a lot of CPU and time to process the file, but the process 
never crashed neither hanged, the CPU was around 96% of usage, and the 
memory kept between 26 and 33MB (i have two webservers an a database 
running on the test box and none was affected even with the uvscan taking 
all the CPU).

At first, the scan stalled at the same point than Linux but after 3 mins 
the scan continued without problems, i had to stop the scan 48 mins later 
only with a 50% of the backdoor file processed because it was taking so 
long to finish. (the cab files are the slowest to parse).

Regards,
Sleman

At 02:48 PM 14/06/2004 -0300, "Ethy H. Brito" <ethy () inexo com br> wrote:
> On Mon, 14 Jun 2004 14:38:50 +0000
> "bipin gautam" <visitbipin () hotmail com> wrote:
>
> > Multiple Antivirus Scanners DoS attack.
> >
> > --- [Vulnerable Products] ---
> >       Only tested on...
> >
> > * Norton Antivirus 2002
> > * Norton Antivirus 2003
> > * Mcafee VirusScan 6
> > * Network Associates (McAfee) VirusScan Enterprise 7.1
> > * Windows Xp default ZIP manager [report's wrong size of compress ZIP
> > files.]
>
> Linux uvscan scan engine 4.3.20 (MacAfee) is also vulnerable.
> uvscan takes all CPU and lots of memory been only killed with signal 9 
> from another terminal.
>
> from 'top':
>  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
> 1306 nobody    15   0 22744  21M  1648 R    97.4 35.6   0:44   0 uvscan
>
> nobody@babalu:/usr/local/uvscan# ./uvscan -v -r --analyze --unzip 
> BlackHole.zip
> Scanning BlackHole.zip
> Scanning file BlackHole.zip
> Scanning file BlackHole.zip/~.BZ2
>   ..... stalls here .....
>
> --
>
> Ethy H. Brito         /"\
> InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
> +55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
> S.J.Campos - Brasil   / \