Re: Sophos Antivirus Advisory

[class <ad () class101 org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
yep I know morphine is cool but msost virus recognize the 'morphined'
files :)
I mean when I had got it undected by most virus that was just by hand
on the original exe, you split the file and find out where is the
detected signature, then you fake it and this is undetected, but only
sophos and kaspersky were harder to trick due to a intelligent
detection on it : all that to say that this is not a sophos vuln here
but mostly a general AV vulnerability :>

Robert Perriero a écrit :

> On the topic of binary obfuscation, you might be interested in this
> tool. Morphine, http://hxdef.czweb.org/download/Morphine27.zip ,
> which I understand was designed by the HackerDefender rootkit
> designer(s). The general purpose is to render a binary
> unrecognizable to current anti- virus engines without affecting the
> execution capability of the program. Keep in mind that the tool was
> designed with malicious intent for use with a rootkit, and as such,
> should only be trusted as far as you can throw an elephant. Its an
> interesting concept though, one which must most definitely be
> forcing anti-virus companies to come up with new detection methods
> which don't rely solely on checksumming of files.
>
> Robert Perriero Montclair State University
>
> On Thu, 2005-06-16 at 14:08 +0200, class wrote:

> patrickhof () web de a écrit :
>
> > = Advisory: Sophos doesn't recognize keylogger after string
> > alteration =
>
> > During a Penetrationtest RedTeam found out that Sophos Anti-Virus
> > (SAV for short) won't recognize a keylogger as malware, after
> > alteration of a string in the keylogger's binary.
>
> > == Details ==
>
> > Product: Sophos Anti-Virus Affected Version: <= 5.0.2 Immune
> > Version: None known OS affected: tested on Win2k, GNU/Linux,
> > probably all supported by Sophos Security-Risk: medium
> > Remote-Exploit: no Vendor-URL: http://www.sophos.com
> > Vendor-Status: informed Advisory-URL:
> > http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-013
> > Advisory-Status: published
>
> > == Introduction ==
>
> > "Sophos Anti-Virus provides integrated virus detection on a wide
> > range of Windows platforms. Our award-winning technology protects
> > corporate servers, desktops and laptops from viruses, Trojans,
> > worms and malicious spyware." (from Vendor's page)
>
> > SAV fails to recognize a keylogger binary after altering a few
> > bytes in a string contained in the program.
>
>
> > == More Details ==
>
> > During a Penetrationtest, RedTeam wanted to install a keylogger
> > on a victim's system. Klogger (written by Arne Vidstrom, see [1])
> > was chosen because of its small size, simplicity, and the ability
> > to be executed from the command prompt. Since we knew that SAV
> > was running on the target system, we did a test in our lab at
> > RWTH-Aachen University. This test revealed that SAV would
> > recognize the Klogger binary as malicious and raise alarm.
>
> > In a simplistic attempt to confuse SAV, a few bytes in the
> > Klogger binary (there is no source code available) which belonged
> > to a string containing the author's name where changed with a hex
> > editor. To our astonishment this was enough to foil SAV - no
> > alarms where raised for the modified binary. Apparently the only
> > detection method deployed by SAV for this binary was a hash
> > comparison or something to the same effect.
>
> > Tests with other antivirus programs showed that all of them
> > recognized the binary even after the string alteration. As for
> > SAV, additional tests with more popular malware showed that for
> > these, proper heuristics were used: it was not enough just to
> > change a few bytes with other malware binaries we tested.
>
> > This example shows impressively, how easy some virusscanners can
> > be bypassed. An attacker just has to spend less than one minute
> > to manipulate the keylogger to prevent SAV from detecting the
> > file.
>
> > As keyloggers are more and more used by criminals like phishers
> > to get e.g. online-banking data, it is important that protection
> > software has robust detection mechanisms for malware. Simple
> > circumvention of protection mechanisms could lead to a severe
> > information leakage and compromise of the user. It is not
> > uncommon for malware code to be hex-edited by the entities
> > deploying them or even to change itself, thus potentially
> > circumventing SAV if this practice is used with other malicicous
> > code, too.
>
> > [1] http://ntsecurity.nu/toolbox/klogger/
>
> > == Proof of Concept ==
>
> > Just download klogger and change some bytes.
>
> > == Workaround ==
>
> > Never rely only on your antivirus program, regardless how good it
> > is. Those programs can only detect known malware with 100%
> > certainty. Unknown but also slightly modified malicious code is
> > only recognized using heuristics, which fail much too often.
> > Always use common sense and don't execute or even open files you
> > don't exactly know where they come from.
>
> > == Fix ==
>
> > None known.
>
>
> > == Security Risk ==
>
> > As users should not rely only on their antivirus programs (as
> > stated above) in the first place, the security risk may be seen
> > as medium.
>
>
> > == History ==
>
> > 14.04.2005 discovery of SAV's behaviour 21.04.2005 additional
> > tests with other programs 10.05.2005 advisory is written
> > 03.06.2005 contacted Sophos. Answer: the attachement you sent is
> > clean. Eh? Apparently, they sent the attached pgp-signature to
> > their virus-lab... Asked for a security contact. Got back the
> > offer that if we send a file with a virus, they can scan it.
> > Okaaaay, that was not the question, was it? Told them we were
> > short of viruses, sorry. Contact promised to sent the mail to
> > their headquarter in England. Never heard from them again.
> > 16.06.2005 Advisory released
>
> > == RedTeam ==
>
> > RedTeam is a penetration testing group working at the Laboratory
> > for Dependable Distributed Systems at RWTH-Aachen University. You
> > can find more Information on the RedTeam Project at
> > http://tsyklon.informatik.rwth-aachen.de/redteam/
>
> > _______________________________________________ Full-Disclosure -
> > We believe in it. Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> > sponsored by Secunia - http://secunia.com/
>
> This is not really a vulnerablity but more a lack of detection on
> this malware, because try to do the same with hackdefender, sophos
> and kaspersky are much advanced than the others AV to detect it,
> believe me, I got it undetected with your method on almost all av ,
> instead of sophos and kaspersky using some signature that if you
> mod, you break the program , nor yu should understand some asm.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCsYfiLyZ8K9aT7rARAvhfAJ9cnuZCMK6DpjYNaelPFRnu83FAagCeL9du
d2lVyjxqRxb2Y8CBbRtoqZ8=
=fXAm
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/