Full Disclosure mailing list archives

Re: Antivirus/Trojan/Spyware scanners DoS!

From: npguy <npguy () websurfer com np>
Date: Mon, 14 Jun 2004 09:15:26 +0545

This comes when extracting module doesn't verify the intgerity of headers. The 
similar types of breaches were found in WinRAR. The quick
approach to resolve is to verify the actual physical size of the compressed 
file against the headers info. WinRAR now takes similar approach.  

Not only the AntiVirus any applicaiton that does use the Zip API faces similar 
problem since the library that comes along with the extractiong function has 
same design error. 


   npguy


On Sunday 13 June 2004 10:35 pm, Ahmed Motaz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bipin gautam wrote:
| I wounder how many Antivirus/Trojan/Spyware scanners will choak to
| death while having a manual scan of the file

I have tried it with Norton AntiVirus 2003 on a PIII 550/256 MB RAM
machine. It
took it 8 minutes to scan 42 files before I aborted it.

I was curious how you crafted such a ZIP file. It extracts to 125KB
and then extracts to more than 500 MB.

| I was woundering, what would be the results if such file gets
| stucked in an "AV gateway" (O;

If there was no timeout, then it definitely can crash lots of these.

I, however, like to add that this is not a problem with the AV
software; I tried extracting it manually using WinRAR and WinZIP, but
it took forever, especially the file ~.rar, which is 6 MB before
extraction.

I have tried it with online scanner, Kaspersky
(http://www.kaspersky.com/scanforvirus), but the scan did not take
more than 1 minute and detected 15 virus bodies out of 692 scanned files.

I'd like to hear more about it soon.

Regards,
Ahmed Motaz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAzIXCxSm8vaS5lh8RAruBAJ9Giaap/vtDwxOmh4MDzYMs/A3hUQCeJuqX
DLJ+H/hHhIYMPiFWDqxw3O8=
=HVzd
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: spamming trojan?, (continued)
- - - Re: spamming trojan? Michael Gargiullo (Jun 16)
    - Message not available
    - Message not available
    - Re: spamming trojan? joe smith (Jun 16)
    - Re: spamming trojan? Michael Gargiullo (Jun 16)
    - Re: spamming trojan? joe smith (Jun 16)
    - Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 16)
    - Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 17)
    - Re: spamming trojan? Paul Schmehl (Jun 16)
    - RE: Antivirus/Trojan/Spyware scanners DoS! Geo. (Jun 16)
- Re: Antivirus/Trojan/Spyware scanners DoS! Brian Anderson (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Ahmed Motaz (Jun 13)
  - Re: Antivirus/Trojan/Spyware scanners DoS! npguy (Jun 13)
    - Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 14)
- Re: Antivirus/Trojan/Spyware scanners DoS! Rodrigo Barbosa (Jun 13)
  - Re: Antivirus/Trojan/Spyware scanners DoS! BigBrother-{BigB3} (Jun 14)
- Re: Antivirus/Trojan/Spyware scanners DoS! Mike Simpson (Jun 14)
- Re: Antivirus/Trojan/Spyware scanners DoS! Chad_Loder (Jun 14)
  - Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 14)
  - Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 15)
- Re: Antivirus/Trojan/Spyware scanners DoS! Eric Paynter (Jun 13)
- RE: Antivirus/Trojan/Spyware scanners DoS! sk3tch (Jun 13)
- RE: Antivirus/Trojan/Spyware scanners DoS! sk3tch (Jun 13)

(Thread continues...)