Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Bypass Virus Checking
From: neil () BORTNAK COM (Neil Bortnak)
Date: Wed, 2 Feb 2000 10:27:49 -0800


Hi everyone,

I have received many reports from people telling me if they were
vulnerable or not. Here's what I have so far:

Vulnerable:

Virus Scan 4050 Defs: 4062
NAV 5.01.01c Defs: 012400
NAV Version lost
NAV Version lost
NAV2k 2000.00.02 Defs: 12400

Not Vulnerable:

NAV 5.00.01c 012400 (Win 98)
NAV 5.0 011500 (NT4)
NAV 4.x (NT4)
NAV 5.02.04 Defs: 012400 (Win95)
VET 10.1.7.1
F-Secure AVW 4.05 F-PROT: 3.04.825 Defs: 12/19/99
AVP Undisclosed version

What I'm inferring from this is that Virus Scan is vulnerable all the
time, NAV once in a while and no one else is really affected. Why NAV is
only affected sometimes may have been answered by a Edward Salm from
IBM's Emergency Virus Response Service. He said, "The reason I mentioned
the other eicar.com is I noticed NAV on my test machine wouldn't detect
your version of eicar.com unless bloodhound was activated!  When I
turned bloodhound heuristics off (even though autoprotect was sill
running), I could put your eicar.com anywhere on the drive!" Doesn't
that give you a good pointer. Bloodhound seems pretty important. It's
also possible that bloodhound ignores the default exclusions. I have a
contact at SARC whom I'll ask about this and let you all know the
response. Oh, and in case you're wondering, there was only a difference
of one byte between our copies of EICAR.COM. Mine terminated in an <LF>,
Ed's in a <CR><LF>.

Here's an idea. The statement by McAfee that they can't go looking for
XORed files because it's not feasible got me thinking. It seems to me
that it's not feasible because it would take too long. People would be
annoyed at 2 second waits for their files to open and whatnot. Now, I'm
no AV expert and some even may work like this, but here's what I came up
with. An AV checker could do a real hard look at a file, doing whatever
it needed to be really thorough with the file (I understand that
breaking XOR programmatically is pretty straight forward). It would then
the store an MD5 hash for that file in an index. Whenever it needed to
scan a file, it would just compare hashes (which is quick), and only
re-scan the files if they had been changed. Special handling would
probably be needed for data files as they get changed all the time, but
overall it seems reasonable to me. I'd also think that AV scanners could
do more advanced scans in the background with CPU idle cycles. There are
a LOT of spare cycles on the average desktop.

Thanks for the great responses everyone,

Neil Bortnak
InfoSec & Linux Consulting
www.bortnak.com

P.S. Avoid sending attachments to the list. You get tons of bounce mail
and your message won't show up properly (at all) in the archive.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault