Full Disclosure mailing list archives
Re: when will AV vendors fix this???
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 07 Aug 2006 15:35:34 -0500
Bipin Gautam wrote:
This is similar to the problem of alternative data streams. Essentially, the work needed to solve this problem isn't worth the expenditure of time and effort, because the file, in order to infect the system, has to be executed. Once the file is executed "normal" on-access scanning will catch the exploit *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see" the file, but even malicious files are benign until they are run.hello list, This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE THAN 1 YEAR OLD stuff but i see no fix till now!!!! lately i've ONLY tested it on the following AV & few other spyware scanner & saw its still NOT fixed! Kaspersky Anti-Virus 6.x (latest) BitDefender 9 Professional Plus (latest) NOD32 (latest) OS tested: WINxp sp2 to keep things simple, let me give you a situation; if there is a directory/file a EVIL_USER is willing to hide from antivirus scanner all he has to do is fire up a command prompt & run the command; cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R next time EVEN when the administrator starts the antivirus "system scan" the TORJANED_FILE_OR_DIRECTORY_NAME will be effectively bypassed as the ownership of the directory is just of the user account named; EVIL_USER and the antivirus "manual scan" is running just with the privilage of ADMINISTRATOR
-- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: when will AV vendors fix this???, (continued)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 05)
- Re: Re: when will AV vendors fix this??? <...> (Aug 06)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 07)
- Re: when will AV vendors fix this??? Bryan (Aug 07)
- RE: when will AV vendors fix this??? Thomas D. (Aug 07)
- Re: RE: when will AV vendors fix this??? Dude VanWinkle (Aug 07)
- RE: RE: when will AV vendors fix this??? Thomas D. (Aug 07)
- RE: RE: when will AV vendors fix this??? Dmitry Yu. Bolkhovityanov (Aug 11)
- Re: RE: when will AV vendors fix this??? Paul Schmehl (Aug 14)
- Re: RE: when will AV vendors fix this??? Bipin Gautam (Aug 15)
- Re: RE: when will AV vendors fix this??? Dude VanWinkle (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 05)
- Re: when will AV vendors fix this??? Bipin Gautam (Aug 07)