Full Disclosure mailing list archives
RE: Re: Antivirus detection bypass by special craftedarchive.
From: <ad () class101 org>
Date: Sun, 9 Oct 2005 20:51:19 +0200
Works fine, the last symantec 10.0.1.1000 (engine:51.2.0.12) doesn't detect it :) -----Message d'origine----- De : full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] De la part de Thierry Zoller Envoyé : dimanche 9 octobre 2005 20:26 À : bugtraq () securityfocus com Cc : full-disclosure () lists grok org uk Objet : [Full-disclosure] Re: Antivirus detection bypass by special craftedarchive. Dear fRoGGz, Thank you for your contribution, thank you also for the credits you gave me and Mr Bieringer for prior research. The details on your website aswell as your bugtraq posting are clearly uncomprehensible however. (no offense intended). I try to clear it up (really quick analyses thus error prone) : Problem : Unpack Program can unpack file, Anti Virus cannot Cause : Injection of various "invalid" headers or NULL strings. AVPoC2.rar - Invalid header (Executable Header Injection) ------------------------------------------------------------ fRoGGz injected an MZ header in the Rar, specificaly he injected MZP.... 4D 5A 50 00 02 00 00 Resulting in a Header of : MZP....RAR! 4D 5A 50 00 02 00 00 52 61 72 21 Winrar and Unrar unpack the Archive fine (without any errors) some AV fail expecting an Executable (might be blocked by clever AV Gateways as they do content type inspection anyway). AVPoC1.rar - Actually a ZIP file - Invalid header (Executable Header Injection) ---------------------------------------------------------------------------- --- fRoGGz injected an MZ header in the Rar (which is actually a ZIP file) he injected : MZ 4D 5A Resulting in a Header of : MZPK..ÿ - 4D 5A 50 4B 03 04 FF 90 Winzip fails to extract the Zip file, Winrar and Unrar unpack the Archive fine (without any errors) some AV fail expecting an Executable (might be blocked by clever AV Gateways as they do content type inspection anyway). AVPoC3.cab - Cabinet Archive - Invalid Header (Executable Header Injection) ---------------------------------------------------------------------------- --- fRoGGz injected an MZ header in the Cab, specificaly he injected MZP.... 4D 5A 50 00 02 00 00 Resulting in a Header of : MZ....MSCF 4D 5A 00 02 00 00 4D 53 43 46 AVPoC4.arj - ARJ Archive - Invalid Header (Executable Header Injection) ---------------------------------------------------------------------------- --- fRoGGz injected an MZ header in the Cab, specificaly he injected MZP.... 4D 5A 50 00 02 00 00 Resulting in a Header of : MZP....` 4D 5A 50 00 02 00 00 60 AVPoC5.arj - ARJ Archive - Invalid Header (00 Injection) ---------------------------------------------------------------------------- --- fRoGGz injected an NULL string int the header of the ARJ file, specificaly he injected 00 Resulting in a Header of : 00` uwc> uwc> Release Date : 2005-10-05 uwc> Tested on: Windows 2000 SP2 & SP4 uwc> Tested with: Jotti Online Antivirus Scanner uwc> Tested with: VirusTotal Online Antivirus Scanner uwc> Tested with: Command line freeware UnRAR v3.50 uwc> Tested with: PowerZip v7.06 uwc> Discovered by: fRoGGz uwc> Credit to: SecuBox Labs uwc> uwc> uwc> -=====================================================================- uwc> Analysis uwc> __________ uwc> Specially crafted archive containing a virus will pass uwc> through the antivirus system without detection. uwc> An attacker can compress a malicious payload and evade uwc> detection by some anti-virus software. uwc> The bypassed malicious content does not pose a risk until uwc> extracted from the RAR archive file. Malicious content uwc> will be detected and eliminated by your Antivirus. uwc> Contrary to Winzip or BitZipper which do not authorize the uwc> opening of the file, Winrar & PowerZip open & extract it. uwc> uwc> -=====================================================================- uwc> uwc> Proof of Concept uwc> ________________ uwc> We have used: eicar.com uwc> EICAR test is a 68 bytes file "detect" as if it were a virus. uwc> uwc> For more information, visit: uwc> Ref: [ http://shadock.net/secubox/AVCraftedArchive.html ] uwc> uwc> Results for: SecuBox_AVPoC1.rar uwc> _______________________________ uwc> [?] AntiVir Found nothing uwc> [?] ArcaVir Found nothing uwc> [?] Avast Found nothing uwc> [!] AVG Antivirus Found EICAR_Test (+187) uwc> [!] BitDefender Found EICAR-Test-File (not a virus) uwc> [!] CAT-QuickHeal Found Eicar.Test uwc> [~] ClamAV Found nothing >> Suspect uwc> [?] Dr.Web Found nothing uwc> [?] eTrust-Iris Found nothing uwc> [?] eTrust-Vet Found nothing uwc> [!] Fortinet Found EICAR_TEST_FILE uwc> [?] F-Prot Antivirus Found nothing uwc> [!] Ikarus Found EICAR_Test uwc> [?] Kaspersky Antivirus Found nothing uwc> [?] McAfee Found nothing uwc> [?] NOD32 Found nothing uwc> [?] Norman Virus Control Found nothing uwc> [!] Panda Found Eicar.Mod uwc> [?] Sophos Found nothing uwc> [?] Symantec Found nothing uwc> [?] TheHacker Found nothing uwc> [?] UNA Found nothing uwc> [?] VBA32 Found nothing uwc> uwc> Results for: SecuBox_AVPoC2.rar uwc> ________________________________ uwc> [?] AntiVir Found nothing uwc> [!] ArcaVir Found Eicar.Test uwc> [!] Avast Found EICAR Test-NOT!! uwc> [!] AVG Antivirus Found EICAR_Test uwc> [?] BitDefender Found nothing uwc> [!] CAT-QuickHeal Found Eicar.Test uwc> [~] ClamAV Found nothing >> Suspect uwc> [?] Dr.Web Found nothing uwc> [?] eTrust-Iris Found nothing uwc> [?] eTrust-Vet Found nothing uwc> [?] Fortinet Found nothing uwc> [?] F-Prot Antivirus Found nothing uwc> [?] Fortinet Found nothing uwc> [!] Ikarus Found EICAR_Test uwc> [?] Kaspersky Antivirus Found nothing uwc> [?] McAfee Found nothing uwc> [?] NOD32 Found nothing uwc> [?] Norman Virus Control Found nothing uwc> [!] Panda Found Eicar.Mod uwc> [!] Sophos EICAR-AV-Test uwc> [?] Symantec Found nothing uwc> [?] TheHacker Found nothing uwc> [?] UNA Found nothing uwc> [?] VBA32 Found nothing uwc> uwc> Results for: SecuBox_AVPoC3.cab uwc> ________________________________ uwc> uwc> [?] AntiVir Found nothing uwc> [?] ArcaVir Found nothing uwc> [?] Avast Found nothing uwc> [!] AVG Antivirus Found EICAR_Test uwc> [?] BitDefender Found nothing uwc> [?] CAT-QuickHeal Found nothing uwc> [?] ClamAV Found nothing uwc> [?] Dr.Web Found nothing uwc> [?] eTrust-Iris Found nothing uwc> [?] eTrust-Vet Found nothing uwc> [?] Fortinet Found nothing uwc> [?] F-Prot Antivirus Found nothing uwc> [?] Fortinet Found nothing uwc> [?] Ikarus Found nothing uwc> [?] Kaspersky Antivirus Found nothing uwc> [?] McAfee Found nothing uwc> [?] NOD32 Found nothing uwc> [?] Norman Virus Control Found nothing uwc> [?] Panda Found nothing uwc> [?] Sophos Found nothing uwc> [?] Symantec Found nothing uwc> [?] TheHacker Found nothing uwc> [?] UNA Found nothing uwc> [!] VBA32 Found EICAR-Test-File uwc> uwc> Unix test with ClamAV uwc> _____________________ uwc> uwc> thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab uwc> SecuBox_AVPoC3.cab: OK uwc> thot:~$ cabextract SecuBox_AVPoC3.cab uwc> Extracting cabinet: SecuBox_AVPoC3.cab uwc> extracting EICAR.com uwc> All done, no errors. uwc> thot:~$ clamscan --no-summary EICAR.com uwc> EICAR.com: Eicar-Test-Signature FOUND uwc> thot:~$ uwc> uwc> thot:~$ clamscan -V uwc> ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005 uwc> uwc> -==================================================- uwc> uwc> CREDiTS uwc> --------------------- uwc> SecuBox Labs - fRoGGz uwc> Greet's fly out to: maew, Jordi Bosveld & VirusTotal -- Mit freundlichen Grüßen Thierry Zoller mailto:Thierry () sniff-em com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Antivirus detection bypass by special crafted archive. Thierry Zoller (Oct 09)
- RE: Re: Antivirus detection bypass by special craftedarchive. ad (Oct 09)
- <Possible follow-ups>
- Re: Antivirus detection bypass by special crafted archive. Williams, James K (Oct 14)