Full Disclosure mailing list archives
Re: another filename bypass vulnerability - fromcmd.exe
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Thu, 17 Nov 2005 12:38:08 -0800
I think the OP was getting at this being an AV bypass vector for worms and other malware that can interact with cmd.exe . Theroy being that AV will scan by extention ( malware.exe vs malware.ext ) and thus evade detection but yet be executeable. In light, informal testing this appears to be a realistic scenario that provides yet another vector for AV bypass. On test systems, "c:\>malware.exe.txt" runs the malware.exe, and does not open notepad. ( cmd.exe parses the file header, explorer.exe uses .extention ) my2bits, MW _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: another filename bypass vulnerability - from cmd.exe Peter Ferrie (Nov 17)
- Re: another filename bypass vulnerability - from cmd.exe HernĂ¡n M . Racciatti (Nov 17)
- Re: another filename bypass vulnerability - from cmd.exe Valdis . Kletnieks (Nov 17)
- Re: another filename bypass vulnerability - fromcmd.exe Morning Wood (Nov 17)
- Re[2]: another filename bypass vulnerability - fromcmd.exe Thierry Zoller (Nov 17)
- Re: another filename bypass vulnerability - from cmd.exe HernĂ¡n M . Racciatti (Nov 17)