Full Disclosure mailing list archives
RE: Sophos Antivirus Advisory
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 16 Jun 2005 11:48:08 -0500
Robert, MW and class are right. This is a general problem of all sig-based AV systems. It has been covered on this list and many other places I am sure. You should report this to Sophos, but only because you were using Sophos in your test. To report it here as a Sophos vuln, isn't fair to Sophos IMHO. But that is just my 2 cents.
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of patrickhof () web de Sent: Thursday, June 16, 2005 6:54 AM To: bugtraq () securityfocus com; full-disclosure () lists grok org uk Subject: [Full-disclosure] Sophos Antivirus Advisory = Advisory: Sophos doesn't recognize keylogger after string alteration = During a Penetrationtest RedTeam found out that Sophos Anti-Virus (SAV for short) won't recognize a keylogger as malware, after alteration of a string in the keylogger's binary. == Details == Product: Sophos Anti-Virus Affected Version: <= 5.0.2 Immune Version: None known OS affected: tested on Win2k, GNU/Linux, probably all supported by Sophos Security-Risk: medium Remote-Exploit: no Vendor-URL: http://www.sophos.com Vendor-Status: informed Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt -sa-2005-013 Advisory-Status: published == Introduction == "Sophos Anti-Virus provides integrated virus detection on a wide range of Windows platforms. Our award-winning technology protects corporate servers, desktops and laptops from viruses, Trojans, worms and malicious spyware." (from Vendor's page) SAV fails to recognize a keylogger binary after altering a few bytes in a string contained in the program. == More Details == During a Penetrationtest, RedTeam wanted to install a keylogger on a victim's system. Klogger (written by Arne Vidstrom, see [1]) was chosen because of its small size, simplicity, and the ability to be executed from the command prompt. Since we knew that SAV was running on the target system, we did a test in our lab at RWTH-Aachen University. This test revealed that SAV would recognize the Klogger binary as malicious and raise alarm. In a simplistic attempt to confuse SAV, a few bytes in the Klogger binary (there is no source code available) which belonged to a string containing the author's name where changed with a hex editor. To our astonishment this was enough to foil SAV - no alarms where raised for the modified binary. Apparently the only detection method deployed by SAV for this binary was a hash comparison or something to the same effect. Tests with other antivirus programs showed that all of them recognized the binary even after the string alteration. As for SAV, additional tests with more popular malware showed that for these, proper heuristics were used: it was not enough just to change a few bytes with other malware binaries we tested. This example shows impressively, how easy some virusscanners can be bypassed. An attacker just has to spend less than one minute to manipulate the keylogger to prevent SAV from detecting the file. As keyloggers are more and more used by criminals like phishers to get e.g. online-banking data, it is important that protection software has robust detection mechanisms for malware. Simple circumvention of protection mechanisms could lead to a severe information leakage and compromise of the user. It is not uncommon for malware code to be hex-edited by the entities deploying them or even to change itself, thus potentially circumventing SAV if this practice is used with other malicicous code, too. [1] http://ntsecurity.nu/toolbox/klogger/ == Proof of Concept == Just download klogger and change some bytes. == Workaround == Never rely only on your antivirus program, regardless how good it is. Those programs can only detect known malware with 100% certainty. Unknown but also slightly modified malicious code is only recognized using heuristics, which fail much too often. Always use common sense and don't execute or even open files you don't exactly know where they come from. == Fix == None known. == Security Risk == As users should not rely only on their antivirus programs (as stated above) in the first place, the security risk may be seen as medium. == History == 14.04.2005 discovery of SAV's behaviour 21.04.2005 additional tests with other programs 10.05.2005 advisory is written 03.06.2005 contacted Sophos. Answer: the attachement you sent is clean. Eh? Apparently, they sent the attached pgp-signature to their virus-lab... Asked for a security contact. Got back the offer that if we send a file with a virus, they can scan it. Okaaaay, that was not the question, was it? Told them we were short of viruses, sorry. Contact promised to sent the mail to their headquarter in England. Never heard from them again. 16.06.2005 Advisory released == RedTeam == RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Sophos Antivirus Advisory patrickhof (Jun 16)
- Re: Sophos Antivirus Advisory class (Jun 16)
- Re: Sophos Antivirus Advisory Robert Perriero (Jun 16)
- Re: Sophos Antivirus Advisory class (Jun 16)
- Re: Sophos Antivirus Advisory Robert Perriero (Jun 16)
- Re: Sophos Antivirus Advisory Morning Wood (Jun 16)
- <Possible follow-ups>
- RE: Sophos Antivirus Advisory Todd Towles (Jun 16)
- Re: Sophos Antivirus Advisory class (Jun 16)