Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[Full-Disclosure] RE: Full-disclosure Digest, Vol 4, Issue 11

From: "RandallM" <randallm () fidmail com>
Date: Sat, 5 Mar 2005 19:12:55 -0600
 
Andrey,
Just to add to the concern you bring up is what VirusTotal also shows on the
"Detection failures".
http://www.virustotal.com/flash/graficas/grafica4_en.html

Of course for me that's job security but none the less its pitiful. And now
in steps Microsoft with "Billions" under its belt and I'll bet the odds
won't change much. That's where I get really confused.
We know that costs go in to the billions when networks go down due to
infections. I know of no one but the parity actors for AOL who welcome
infections. I'm just dumb founded on the abilities of virus companies to
battle this. 

I'm finding that my preconceived label of who the virus writers are and look
like are rapidly being changed. I used to envision this lad with a tattered
def leopard shirt sitting with an old laptop in the wee early dawn finishing
up his code and getting ready to test it on the old grey Pentium box in the
corner.

Is this the guy beating the pants off the billion dollar companies?

I would also like to add that what you've done is very impressive. I'm
reading your paper now. I could and will never be able do such so thanks for
this well written piece. Please tell me your not wearing a def leopard
t-shirt!

thank you
Randall M

"If we ever forget that we're one nation under God, then we will be a nation
gone under." 
- Ronald Reagan
_________________________________

 


Andrey so correctly acknowledged:
------------------------------

Message: 8
Date: Fri,  4 Mar 2005 15:03:10 -0600
From: Andrey Bayora <andrey () hiddenbit org>
Subject: [Full-disclosure] Bypass of 22 Antivirus software with GDI+
        bug     exploit Mutations - part 2
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Message-ID: <1109970190.4228cd0e27138 () www hiddenbit org>
Content-Type: text/plain; charset=ISO-8859-1


The first part is here:
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html

First, this post isnt about how dangerous GDI+ bug or malicious JPEG
image, but how good is your antivirus software.

The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure date).

Here is the link to results, JPEG file and my paper (GCIH practical)
that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm

This one vendor (Symantec) that can detect it, obviously do it with the
heuristic detection (I dont work for them and didnt send them any
file, moreover I know cases when Symantec didnt detect a virus that
other vendors do).
ClamAV antivirus detected this JPEG file 4 month ago, but strangely
cant detect it now.
What happened?
What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many
antivirus software vendors miss it, did it can represent the quality of
heuristic engines?

OK, we know that any antivirus software can provide 100% protection

P.S.  After my first post (October 14,2004) about this problem  all
antivirus software vendors added detection to the demo file provided by
me in couple of hours. Sadly for me, but it seems that they prefer
playing cat and mouse and not improve heuristic engines

Regards,
Andrey Bayora.
CISSP, GCIH

-----------------------------

And so ends his thoughts




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: