Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
From: bipin gautam <visitbipin () yahoo com>
Date: Sat, 2 Oct 2004 07:03:35 -0700 (PDT)

Only tested on...

Mcafee VirusScan professional (8.0.0.12)
Norton Antivirus 2003
Ad-Aware (6.0.1.181)
The Cleaner

This is what i did,

I craeated a account named "dumb_user" and log on to
the account.

I created a folder and copied a sample virus to the
folder. Then i took the ownership
of the folder and set the permission as, "I only can
access" the folder and its 
content. 

eg: cacls.exe hUNT.exe /T /C /P dumb_user:R

Then I switched back to "Administrative account" and
tried doing "manual scan"
for virus with mcafee and later norton in seperate
machines. The manual scan was unable
to pick the virus!!!

But ya... if you try the same thing with a file and
try executing the file the 
auto-protect engine will stop the virus from
executing. So this is ONLY ISSUE FOR MANUAL 

SCAN ON ANTIVIRUS PRODUCTS.

It seems like, in manual scan... the scanner runs
under the security content of 

Administrator who is responsible for scanning the
system........... hence the virus goes 

unnoticed due to NTFS file permission restriction.
But, seems like... the Auto-Protect 

engine loads as a kernel driver so the virus gets
stopped in the way during execution.

*But ya... many trojan, spyware scanner i know just
run with the Administrative privilage, 

so its a ISSUE for all those products.

Please follow the procidure & confirm if other
antivirus products are vulnerable as well.

http://www.geocities.com/visitbipin/all.html

thank you for your time,

bipin gautam 
--- bipin gautam <visitbipin () yahoo com> wrote:


--- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:

Dear bipin gautam,

Your statements about "all antivirus" and "design
fault" are wrong, it's
strongly  depend  on  the way manual scanning is
implemented in specific
product.

1.  many  antiviral products implement their own
kernel driver to access
scanned file. For this case permissions have no
impact for scanning.


hello 3APA3A,

Ok ya... i already mentioned the fact,  If the
scanner
is unable to drop the privilege and run under the
security content of "dumb_user" the malicious code
goes undetected. Correct me if i am wrong, but....
mostly (full-)system "manual scan" is executed as a
administrative job......... and i've already
mentioned
the fact, its MORE* a NTFS file permission problem.

http://www.geocities.com/visitbipin/all.html

IF A FILE PERMISSION IS SET IN A WAY... only THE
OWNER
OF THE FILE HAS ACCESS TO THAT FILE, Even softwares
running with ADMINISTRATIVE or SYSTEM privilage
don't
have access to the file, normally!!!!!!!!! Really
strange, cauz root should have atlest read access to
any file in the system regardless of the permission.

Atlest, most trojan, spyware scanner gets executed
as
a admin. or system process. Regarding your
statement, 

antiviral products implement their own
kernel driver to access
scanned file.

I tested on norton av 2003 and few spyware product
"the cleaner" "Ad-aware" and by this way....... a
trojan bypassed the protection.

Guys, please confirm this issue then.... i ain't in
a
research lab, just using my home PC. i'll test the
issue with mcafee and be back with the results

You  still  can  bypass  antiviral protection for
manual scans with file
encryption  (on-access  scanners  may  impersonate
accessing user). This
time  file  can  only  be  scanned  by
administrator
if administrator is
recovery agent.


wow, i didn't thought of this.....

bipin


              
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html




                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]