Full Disclosure mailing list archives

RE: Multiple AVVendorIncorrectCRC32BypassVulnerability.

From: "Steve Scholz" <steve_scholz () sybari com>
Date: Sun, 13 Mar 2005 02:05:37 -0500

?
Hi Bipin,
Well just by definition of what eicar is all you did was corrupt a file and made it not useable. I am sure that any 
other executable would do the same. Try it with a real virus I am sure there will be enough code for the AV scanners to 
detect. Since eicar is just a test string for testing reasons only it needs to be on the first line and only the eicar 
string can be in the document for it to be eicar. I still fail to see that you proved anything.
-Steve

________________________________

From: full-disclosure-bounces () lists grok org uk on behalf of bipin gautam
Sent: Sun 3/13/2005 12:53 AM
To: bipin gautam; Steve Scholz
Cc: vuln () secunia com; full-disclosure () lists grok org uk; bugtraq () securityfocus com
Subject: RE: [Full-disclosure] Re: [Private]Multiple AVVendorIncorrectCRC32BypassVulnerability.



--- Steve Scholz <steve_scholz () sybari com> wrote:

Hi Bipin,
By design Eicar needs to be the exact string and on
the first line with nothing else following it. So
the file is not actually an Eicar I get this with
advanced zip repair. So now we won't detect this
because it is not Eicar.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK


     /é°"F?-?sp  ?sp                   eicar.comPK
     7   k


"not Eicar" so???     (O; It exactly did what it was
intended to! TRY IT WITH OTHER EXECUDABLES THEN.

In the 'local file header" & "data descriptor" if you
change the compressed size and uncompressed size to
greater than the actual file size there are many AV
that can't scan the file properly.
Most, unzip utilities will successfully extract such
archive with some garbage data \x00 at the end "255
bytes. (SO DOES THE AV ENGINE)  The garbage data
doesn't *that matter because any malicious code can
"execute without any problem" with still the garbage
at its end. "This will successfully bypass AV
detection even for a known malicious code!"  "MOST OF
THE TIME" if the AV detects the executable comparing
its total checksum!

(but for effectiveness, FORGE  the crc, first for real
effectiveness)



regards,
bipin gautam
get the updates in this issue at:
http://www.geocities.com/visitbipin/

secunia.com;

full-disclosure () lists grok org uk;
bugtraq () securityfocus com
Subject: [Full-disclosure] Re: [Private]Multiple AV
VendorIncorrectCRC32BypassVulnerability.

Steve,
firstly... thankyou for all your coments.

The Antigen_s.zip does not contain a valid Eicar
this info when repaired
and opened is X5O!P%@AP[4\PZX
We did catch it with a file filter.
What was your intent with these files?


OOPS! again my fault!!!
TRY: http://www.geocities.com/visitbipin/Antigen.zip

my intension was to show, if the archive has
compressed size and uncompressed size set to greater
than the actual file size or less than the actual
file
size there are many AV that can't scan the file
properly.

send
http://www.geocities.com/visitbipin/Antigen.zip
 to virustotal.com and see for yourself!!!

Download Accelerator successfully repairs this
archive
with some garbage data \x00 at the end "255 bytes"
Though, i was able to successfully execute eicar.com

-bipin
updates at:
http://www.geocities.com/visitbipin/crc.html
___________________My report!_______________________
This is a report processed by VirusTotal on
03/12/2005
at 18:38:32 (CET) after scanning the file
"Antigen.zip" file.

Antivirus     Version Update  Result    
AntiVir       6.30.0.5 03.11.2005     Eicar-Test-Signature      
AVG   718     03.11.2005      EICAR_Test (+187)         
BitDefender 7.0       03.12.2005      no virus found    
ClamAV        devel-20050307  03.10.2005
Eicar-Test-Signature 
 
DrWeb 4.32b   03.12.2005 no virus found         
eTrust-Iris 7.1.194.0 03.12.2005 no virus found         
eTrust-Vet 11.7.0.0 03.11.2005 no virus found   
Fortinet 2.51 03.11.2005      no virus found    
F-Prot        3.16a   03.11.2005      EICAR_Test_File   
Ikarus        2.32    03.11.2005      EICAR-ANTIVIRUS-TESTFILE          
Kaspersky     4.0.2.24        03.12.2005      EICAR-Test-File   
McAfee        4445    03.11.2005      no virus found    
NOD32v2       1.1024  03.11.2005      archive damaged   
Norman        5.70.10 03.10.2005      no virus found    
Panda 8.02.00 03.12.2005      Eicar.Mod         
Sybari        7.5.1314 03.12.2005     no virus found    
Symantec 8.0  03.11.2005      no virus found



               
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

RE: Multiple AVVendorIncorrectCRC32BypassVulnerability. Steve Scholz (Mar 12)
- RE: Multiple AVVendorIncorrectCRC32BypassVulnerability. bipin gautam (Mar 13)
- <Possible follow-ups>
- RE: Multiple AVVendorIncorrectCRC32BypassVulnerability. Steve Scholz (Mar 13)