RE: Sophos Antivirus Advisory

["Todd Towles" <toddtowles () brookshires com>]

Robert, MW and class are right. This is a general problem of all
sig-based AV systems. It has been covered on this list and many other
places I am sure. You should report this to Sophos, but only because you
were using Sophos in your test. To report it here as a Sophos vuln,
isn't fair to Sophos IMHO. But that is just my 2 cents. 

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk 
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
> Of patrickhof () web de
> Sent: Thursday, June 16, 2005 6:54 AM
> To: bugtraq () securityfocus com; full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Sophos Antivirus Advisory
>
> = Advisory: Sophos doesn't recognize keylogger after string 
> alteration =
>
> During a Penetrationtest RedTeam found out that Sophos 
> Anti-Virus (SAV for short) won't recognize a keylogger as 
> malware, after alteration of a string in the keylogger's binary.
>
> == Details ==
>
> Product: Sophos Anti-Virus
> Affected Version: <= 5.0.2
> Immune Version: None known
> OS affected: tested on Win2k, GNU/Linux, probably all supported by
>              Sophos
> Security-Risk: medium
> Remote-Exploit: no
> Vendor-URL: http://www.sophos.com
> Vendor-Status: informed
> Advisory-URL:
> http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt
> -sa-2005-013
> Advisory-Status: published
>
> == Introduction ==
>
> "Sophos Anti-Virus provides integrated virus detection on a 
> wide range of Windows platforms. Our award-winning technology 
> protects corporate servers, desktops and laptops from 
> viruses, Trojans, worms and malicious spyware." (from Vendor's page)
>
> SAV fails to recognize a keylogger binary after altering a 
> few bytes in a string contained in the program.
>
>
> == More Details ==
>
> During a Penetrationtest, RedTeam wanted to install a 
> keylogger on a victim's system. Klogger (written by Arne 
> Vidstrom, see [1]) was chosen because of its small size, 
> simplicity, and the ability to be executed from the command 
> prompt. Since we knew that SAV was running on the target 
> system, we did a test in our lab at RWTH-Aachen University. 
> This test revealed that SAV would recognize the Klogger 
> binary as malicious and raise alarm.
>
> In a simplistic attempt to confuse SAV, a few bytes in the 
> Klogger binary (there is no source code available) which 
> belonged to a string containing the author's name where 
> changed with a hex editor. To our astonishment this was 
> enough to foil SAV - no alarms where raised for the modified 
> binary. Apparently the only detection method deployed by SAV 
> for this binary was a hash comparison or something to the same effect.
>
> Tests with other antivirus programs showed that all of them 
> recognized the binary even after the string alteration. As 
> for SAV, additional tests with more popular malware showed 
> that for these, proper heuristics were used: it was not 
> enough just to change a few bytes with other malware binaries 
> we tested.
>
> This example shows impressively, how easy some virusscanners 
> can be bypassed. An attacker just has to spend less than one 
> minute to manipulate the keylogger to prevent SAV from 
> detecting the file.
>
> As keyloggers are more and more used by criminals like 
> phishers to get e.g. online-banking data, it is important 
> that protection software has robust detection mechanisms for 
> malware. Simple circumvention of protection mechanisms could 
> lead to a severe information leakage and compromise of the 
> user. It is not uncommon for malware code to be hex-edited by 
> the entities deploying them or even to change itself, thus 
> potentially circumventing SAV if this practice is used with 
> other malicicous code, too.
>
> [1] http://ntsecurity.nu/toolbox/klogger/
>
> == Proof of Concept ==
>
> Just download klogger and change some bytes.
>
> == Workaround ==
>
> Never rely only on your antivirus program, regardless how good it is.
> Those programs can only detect known malware with 100% certainty.
> Unknown but also slightly modified malicious code is only 
> recognized using heuristics, which fail much too often. 
> Always use common sense and don't execute or even open files 
> you don't exactly know where they come from.
>
> == Fix ==
>
> None known.
>
>
> == Security Risk ==
>
> As users should not rely only on their antivirus programs (as stated
> above) in the first place, the security risk may be seen as medium.
>
>
> == History ==
>
> 14.04.2005  discovery of SAV's behaviour
> 21.04.2005  additional tests with other programs
> 10.05.2005  advisory is written
> 03.06.2005  contacted Sophos. Answer: the attachement you 
> sent is clean.
>             Eh? Apparently, they sent the attached 
> pgp-signature to their
>             virus-lab... Asked for a security contact. Got back the
>             offer that if we send a file with a virus, they 
> can scan it.
>             Okaaaay, that was not the question, was it? Told them we
>             were short of viruses, sorry. Contact promised
>             to sent the mail to their headquarter in England. Never
>             heard from them again.
> 16.06.2005  Advisory released
>
> == RedTeam ==
>
> RedTeam is a penetration testing group working at the 
> Laboratory for Dependable Distributed Systems at RWTH-Aachen 
> University. You can find more Information on the RedTeam 
> Project at http://tsyklon.informatik.rwth-aachen.de/redteam/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/