Full Disclosure mailing list archives
Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
From: "Williams, James K" <James.Williams () ca com>
Date: Thu, 27 Oct 2005 04:02:49 -0400
Subject: Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte From: "Andrey Bayora" <andrey () securityelf ! org> Date: 2005-10-25 3:07:51 [...] VULNERABLE vendors and software (tested): [...] 3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229) [...] DESCRIPTION: The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected.
Andrey, Thank you for the report. You are effectively altering existing viruses to the point that AV scanners do not detect them. If your altered virus sample still executes correctly, you have simply created a new virus variant. If your altered virus sample does not execute properly, you have created nothing more than a corrupt virus sample. Consequently, the issue that you describe is *not* a vulnerability issue, but rather just an example of a new variant that has not yet been added to an AV vendor's database of "known viruses". Note that CA eTrust Antivirus, when running in Reviewer mode, should already detect these new variants. Regards, Ken Ken Williams ; Dir. Vuln Research Computer Associates ; 0xE2941985 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte Andrey Bayora (Oct 24)
- Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte trains (Oct 25)
- RE: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Debasis Mohanty (Oct 25)
- Message not available
- Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Eygene A. Ryabinkin (Oct 27)
- <Possible follow-ups>
- Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte Williams, James K (Oct 27)
- Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte x (Oct 27)