Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte

["Andrey Bayora" <andrey () securityelf org>]

Hello Debasis,
Please see my inline comments below.
Thanks.

Regards,
Andrey


----- Original Message ----- 
From: "Debasis Mohanty" <mail () hackingspirits com>
To: "'Andrey Bayora'" <andrey () securityelf org>;
<full-disclosure () lists grok org uk>
Cc: <bugtraq () securityfocus com>
Sent: Tuesday, October 25, 2005 7:17 PM
Subject: RE: [Full-disclosure] Multiple Vendor Anti-Virus Software
DetectionEvasion

Vulnerability through forged magic byte

> Hello Andrey,
> Few comments on this -
> Correct me if I am wrong, "forged magic byte" might not always be able to
> fool the AV in real scenario

I tested this exploit with REAL viruses and REAL anti-virus programs (see my
whitepaper at http://www.securityelf.org/magicbyte.html). And you are
right - not ALL anti-virus programs are prone to this bug - only 12 vendors
that I found.

> (especially EXEs) unless you are talking about
> Static Virus scanners. In past few years the AV scanning technology has
> improved a lot and has gone even beyond "heuristic scanning techniques".

"Static Virus scanners" -? There are list of 15 vulnerable anti-virus
programs in my advisory.

> > > The problem exists in the scanning engine - in the routine that
> determines the file type.
> > > If some file types (file types tested are .BAT, .HTML and .EML) changed
> to have the MAGIC BYTE
> > > of the EXE files (MZ) at the beginning, then many antivirus programs
will
> be unable to detect
> > > the malicious file. It will break the normal flow of the antivirus
> scanning and many existent
> > > and future viruses will be undetected.
>
> Especially in case of EXEs, AFAIK not all EXEs has the same 'MAGIC BYTE'
> (MZ).

Just a second... I did not say this, the issue is *prepending magic byte of
one file type to another*. In my test - it was enough to prepend MZ to .BAT,
.HTML or .EML. to be UNDETECTABLE for many anti-virus programs.

> MZ only appears in the first two bytes of Win32 executable files. Most
> older file types such as original .com files, any Linux/Mac files, and
> almost all scripting files do not contain MZ in the header. In fact the
> EICAR test virus which can be represented as a .txt or a .com file is one
> such file. It is a fully executable .com file that does not contain the MZ
> bytes and still executes on Win32. This implies that the AV scan engine
> doesn't just rely on the 'magic byte'. Changing the magic byte might fool
> the static AV scanners and maybe some current Avs but this might not work
in
> case of real Viruses. As the scan engine do a heuristic scan and doesn't
> just rely upon the magic byte.

You are right, but... as far as I know; the AV has some FILTER that
determines file type BEFORE scanning. This FILTER is responsible for
minimizing the scan time of AV programs (like: if it is .EXE file, why check
virus definitions for VB or HTML viruses?).
Here is the bug - TO FOOL THE FILTER (which, I believe, is the part of the
engine)

> I published a paper on similar topi
> "Anti-Virus Evasion Techniques" almost a year back which talks about
various
> evasion techniques. It can be downloaded from here :
> http://hackingspirits.com/eth-hac/papers/whitepapers.asp

I read it, nice paper. About 4 month ago, I published a whitepaper "Software
Misuse: from
malicious actions to mind control." at
http://www.securityelf.org/whitepapers.html
where I describe using *commercial* software to create malware and avoid AV
detection by non-
technical means and malware that can ATTACK PEOPLE and influence their mind
through subliminal
messages...

> As I haven't tested your finding on real viruses so can't say if at all I
am
> wrong especially incase comments related to EXEs. However, in anycase if
> this exploit works for real viruses then this will imply that heuristic
scan
> is a Joke ;-). Although heuristics can be fooled by many advance
techniques
> (eg - obfuscation / polymorphism) but if it is fooled by this technique
then
> I believe there are lot of work waiting for Guys @ AV Schools ;-)

Maybe...:)

> - Tr0y (www.hackingspirits.com)

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Andrey
> Bayora
> Sent: Tuesday, October 25, 2005 8:38 AM
> To: full-disclosure () lists grok org uk
> Cc: bugtraq () securityfocus com
> Subject: [Full-disclosure] Multiple Vendor Anti-Virus Software
> DetectionEvasion Vulnerability through forged magic byte
>
> Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability
through
> forged magic byte.
>
>
>
> AUTHOR: Andrey Bayora (www.securityelf.org)
>
>
>
> For more details, screenshots and examples please read my article "The
Magic
> of magic byte" at www.securityelf.org . In addition, you will find a
sample
> "triple headed" program which has 3 different 'execution entry points',
> depending on the extension of the file (exe, html or eml) - just change
the
> extension and the SAME file will be executed by (at least) THREE DIFFERENT
> programs! (thanks to contributing author Wayne Langlois from
> www.diamondcs.com.au).
>
> DATE: October 25, 2005
>
>
>
> VULNERABLE vendors and software (tested):
>
>
>
> 1.  ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
> 2005-03-06, package ver 2005-06-21)
>
> 2.  AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)
>
> 3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)
>
> 4.  Dr.Web (v.4.32b, update 27.06.2005)
>
> 5.  F-Prot (ver. 3.16c, update 6/24/2005)
>
> 6.  Ikarus (latest demo version for DOS)
>
> 7.  Kaspersky (update 24 June, ver. 5.0.372)
>
> 8.  McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
> engine 4.4.00, dat 4.0.4519 6/22/2005)
>
> 9.  McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521,
> engine 4400)
>
> 10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)
>
> 11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern
> 2.701.00)
>
> 12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.00
> 6/23/2005)
>
> 13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)
>
> 14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)
>
> 15. Sophos 3.91 (engine 2.28.4, virData 3.91)
>
>
>
> IMPORTANT NOTE:
>
> Similar vulnerability may exist in many other antivirus\anti-spyware
desktop
> and gateway products. In addition, various "file filter" solutions may be
> affected as well.
>
>
>
> NOT VULNERABLE vendors and software (tested):
>
>
>
> 1.  F-Secure (updates 24 June, ver 5.56 b.10450)
>
> 2.  Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)
>
> 3.  BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)
>
> 4.  ClamWin (ver. 0.86.1, upd 24 June 2005)
>
> 5.  NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)
>
> 6.  Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)
>
> 7.  Norton Internet Security 2005 (ver 11.5.6.14)
>
> 8.  VBA32 (ver 3.10.4, updates 27.06.2005)
>
> 9.  HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
> 6.31.0.109 6/24/2005)
>
> 10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)
>
> 11. Sophos 3.95 (engine 2.30.4)
>
>
>
> SEVERITY: critical
>
>
>
> DESCRIPTION:
>
>
>
> The problem exists in the scanning engine - in the routine that determines
> the file type. If some file types (file types tested are .BAT, .HTML and
> .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the
beginning,
> then many antivirus programs will be unable to detect the malicious file.
It
> will break the normal flow of the antivirus scanning and many existent and
> future viruses will be undetected.
>
>
>
> NOTE: In my test, I used the EXE headers (MZ), but it is possible to use
> other headers (magic byte) that will lead to the same effect.
>
>
>
> ANALYSIS:
>
>
>
> Some file types like .bat, .html and .eml can be properly executed even if
> they have some "unrelated" beginning. For example, in the case of .BAT
files
> - it is possible to prepend some "junk" data at the beginning of the file
> without altering correct execution of the batch file. In my tests, I used
> the calc.exe headers (first 120 bytes - middle of the dosstub section) to
> change 5 different files of existing viruses. In addition, the simplest
test
> of this vulnerability is to prepend only the magic byte (MZ) to the
existing
> malicious file and check if this file is detected by antivirus program.
>
>
>
> NOTE, that this is NOT the case where the change of existing virus file
> resulted in the "broken" detection signature (see details and the test
logic
> in "The Magic of magic byte" article at www.securityelf.org).
>
>
>
> WORKAROUND:
>
> I did not found any effective one besides of patching the vulnerable
engine.
> CREDITS:
>
> The idea for this vulnerability came during discussions from Wayne
Langlois
> at diamondcs.com.au, who hinted that JPEGs could probably be exploited in
> this way.
>
>
>
> TIME LINE:
>
>
>
> July 13, 2005 - Initial vendor notification
>
> July 16, 2005 - Second vendor notification
>
> .....Waiting.....Waiting....
>
> October 24, 2005 - Public disclosure (uncoordinated)
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/