Re: Sophos Antivirus Advisory

[Robert Perriero <ssgsa () mail montclair edu>]

On the topic of binary obfuscation, you might be interested in this
tool. Morphine, http://hxdef.czweb.org/download/Morphine27.zip , which I
understand was designed by the HackerDefender rootkit designer(s). The
general purpose is to render a binary unrecognizable to current anti-
virus engines without affecting the execution capability of the program.
Keep in mind that the tool was designed with malicious intent for use
with a rootkit, and as such, should only be trusted as far as you can
throw an elephant. Its an interesting concept though, one which must
most definitely be forcing anti-virus companies to come up with new
detection methods which don't rely solely on checksumming of files.

Robert Perriero
Montclair State University

On Thu, 2005-06-16 at 14:08 +0200, class wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> patrickhof () web de a écrit :
>
> > = Advisory: Sophos doesn't recognize keylogger after string
> > alteration =
> >
> > During a Penetrationtest RedTeam found out that Sophos Anti-Virus
> > (SAV for short) won't recognize a keylogger as malware, after
> > alteration of a string in the keylogger's binary.
> >
> > == Details ==
> >
> > Product: Sophos Anti-Virus Affected Version: <= 5.0.2 Immune
> > Version: None known OS affected: tested on Win2k, GNU/Linux,
> > probably all supported by Sophos Security-Risk: medium
> > Remote-Exploit: no Vendor-URL: http://www.sophos.com Vendor-Status:
> > informed Advisory-URL:
> > http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-013
> > Advisory-Status: published
> >
> > == Introduction ==
> >
> > "Sophos Anti-Virus provides integrated virus detection on a wide
> > range of Windows platforms. Our award-winning technology protects
> > corporate servers, desktops and laptops from viruses, Trojans,
> > worms and malicious spyware." (from Vendor's page)
> >
> > SAV fails to recognize a keylogger binary after altering a few
> > bytes in a string contained in the program.
> >
> >
> > == More Details ==
> >
> > During a Penetrationtest, RedTeam wanted to install a keylogger on
> > a victim's system. Klogger (written by Arne Vidstrom, see [1]) was
> > chosen because of its small size, simplicity, and the ability to be
> > executed from the command prompt. Since we knew that SAV was
> > running on the target system, we did a test in our lab at
> > RWTH-Aachen University. This test revealed that SAV would recognize
> > the Klogger binary as malicious and raise alarm.
> >
> > In a simplistic attempt to confuse SAV, a few bytes in the Klogger
> > binary (there is no source code available) which belonged to a
> > string containing the author's name where changed with a hex
> > editor. To our astonishment this was enough to foil SAV - no alarms
> > where raised for the modified binary. Apparently the only detection
> > method deployed by SAV for this binary was a hash comparison or
> > something to the same effect.
> >
> > Tests with other antivirus programs showed that all of them
> > recognized the binary even after the string alteration. As for SAV,
> > additional tests with more popular malware showed that for these,
> > proper heuristics were used: it was not enough just to change a
> > few bytes with other malware binaries we tested.
> >
> > This example shows impressively, how easy some virusscanners can be
> > bypassed. An attacker just has to spend less than one minute to
> > manipulate the keylogger to prevent SAV from detecting the file.
> >
> > As keyloggers are more and more used by criminals like phishers to
> > get e.g. online-banking data, it is important that protection
> > software has robust detection mechanisms for malware. Simple
> > circumvention of protection mechanisms could lead to a severe
> > information leakage and compromise of the user. It is not uncommon
> > for malware code to be hex-edited by the entities deploying them
> > or even to change itself, thus potentially circumventing SAV if
> > this practice is used with other malicicous code, too.
> >
> > [1] http://ntsecurity.nu/toolbox/klogger/
> >
> > == Proof of Concept ==
> >
> > Just download klogger and change some bytes.
> >
> > == Workaround ==
> >
> > Never rely only on your antivirus program, regardless how good it
> > is. Those programs can only detect known malware with 100%
> > certainty. Unknown but also slightly modified malicious code is
> > only recognized using heuristics, which fail much too often. Always
> > use common sense and don't execute or even open files you don't
> > exactly know where they come from.
> >
> > == Fix ==
> >
> > None known.
> >
> >
> > == Security Risk ==
> >
> > As users should not rely only on their antivirus programs (as
> > stated above) in the first place, the security risk may be seen as
> > medium.
> >
> >
> > == History ==
> >
> > 14.04.2005 discovery of SAV's behaviour 21.04.2005 additional
> > tests with other programs 10.05.2005 advisory is written
> > 03.06.2005 contacted Sophos. Answer: the attachement you sent is
> > clean. Eh? Apparently, they sent the attached pgp-signature to
> > their virus-lab... Asked for a security contact. Got back the offer
> > that if we send a file with a virus, they can scan it. Okaaaay,
> > that was not the question, was it? Told them we were short of
> > viruses, sorry. Contact promised to sent the mail to their
> > headquarter in England. Never heard from them again. 16.06.2005
> > Advisory released
> >
> > == RedTeam ==
> >
> > RedTeam is a penetration testing group working at the Laboratory
> > for Dependable Distributed Systems at RWTH-Aachen University. You
> > can find more Information on the RedTeam Project at
> > http://tsyklon.informatik.rwth-aachen.de/redteam/
> >
> > _______________________________________________ Full-Disclosure -
> > We believe in it. Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> > sponsored by Secunia - http://secunia.com/
>
> This is not really a vulnerablity but more a lack of detection on this
> malware, because try to do the same with hackdefender, sophos and
> kaspersky are much advanced than the others AV to detect it, believe
> me, I got it undetected with your method on almost all av , instead of
> sophos and kaspersky using some signature that if you mod, you break
> the program , nor yu should understand some asm.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
>  
> iD8DBQFCsWvVLyZ8K9aT7rARAkRRAKC6vP8EG/o1QX2Ss2L5d8u+9C+m9wCgp3BN
> i1uiKZyFy21TGUs/VbulY08=
> =xRt7
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/