Full Disclosure mailing list archives
Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
From: Bipin Gautam <gautam.bipin () gmail com>
Date: Fri, 28 Oct 2005 17:32:42 +0545
Consequently, the issue that you describe is *not* a vulnerability issue, but rather just an example of a new variant that has not yet been added to an AV vendor's database of "known viruses".
yap, maybe* but i consider this issue equv. to the 'classic issue' of adding NOP to the shell-code to bypass IDS/IPS You ain't gonna add every possible combinations as signatures!
Instead of beahviour analysis, most AV vendors choose uterly stupid PE section fingerprints, defeated by adding a few bytes. Go figure. of course this is no vulnerability, it's a feature!
Is, CA eTrust Antivirus, run in Reviewer mode by default? (sorry, i haven't tryed ant Av lately) -------------
My theory on this is simple : - ALL files can't be analysed the same way by AV engines (due to speed issues) (In other words not all analysis/fingerpritns is applied to every file)
The solution was to make the engines a bit "smarter", i.e analyse the header to determine the type and then ONLY apply the signatures/heuristics which apply to the type of the file (i am not speaking about the extension of the file here) thus speeding up the process. Changing the header just makes the smart engines look...well... a bit dumb in my regards.
------
The AV vendors aren't going to patch their products if they don't detect your PoC; they're just going to write a new signature or modify an existing signature to detect your new variants. The fact that it can and will be fixed by AV signatures instead of product patches should help you figure out if this is a product vulnerability issue or just a "new virus variant" issue.
------------- Variant huh? My defination of variant are bit straight forward. And sure isn't a 'universal trick' that can be used to modified any malicious executable (which has known Av signature) by a 8 year old with 0 programming knowledge or by using any special tools to make it un-detectable, later. Admit it... Av vendors aren't going to doyuble/tripple their Av defination to detect all of such possible varient. Common, is the execution point of ANY instruction code or program flow is being changed?
There are two types of people in the world: those who complain about problems, and those who find solutions to problems. Where's your superior AV scanner?
Lastly, yap I also feel there are 2 type of ppl. in the world. One who gives answers to a question and the other who askz another another question AS the answer of the previous question. -best regards, Bipin Gautam Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Andrey Bayora (Oct 25)
- Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Bipin Gautam (Oct 28)
- <Possible follow-ups>
- Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte x (Oct 28)