Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Multiple AV Vendors ignoring tar.gz archives
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 06 Feb 2005 11:15:26 +1300

Barrie Dempster wrote:

By passing some archives through www.virustotal.com I discovered that
some AV companies ignore tar.gz's and possibly other archive formats
that aren't very common on windows systems (but supported by the common
archive tools). 

If virus writers start using these formats AV companies could be slow to
react as in some cases they may have to write functionality into their
products that doesn't currently exist (support for scanning inside said
archives) this could delay signature updates.

That's a non sequitur.

If a virus was released that depended on, say tar.gz archives, and some 
AV products did not have tar.gz unpacking capabilities, there would be 
no hindrance to those companies releasing detection updates.  Afterall, 
what they detect are the unpacked contents of such archives, so 
detection of the actual malware is just as easily added and shipped 
regardless of whether the malware in question self-packs in .RAR, .ZIP, 
.TAR.GZ or .ZOO format (or does not pack itself in any archive format 
at all...).

Worse however, is the implication that missing unpacking abilities for 
some modestly common archive type is a terrible flaw in a scanner.

Well, OK -- in a gateway scanner it is likely to be a terrible flaw.  
Any vaguely competent gateway scanner should have basic knowledge of 
all archive formats and should have an option to quarantine all 
messages with archives in the formats it cannot unpack and inspect.  
Sadly, most gateway scanners are not designed this way.  It is the job 
of a gateway scanner to not let anything "dangerous" in and if you 
cannot tell what something is, prudence says you keep it out, or at 
least set it aside for more expert inspection.

However, once something gets to the desktop, it is only very mildly 
inconvenient that a scanner does not know how to unpack, say, tar.gz 
archives.  The point of a desktop scanner is to stop as much as 
possible that has got to where it shouldn't be.  Known virus scanning 
is a far from perfect method for achieving this, but as the only 
intelligent method of achieving it has been entirely disregarded by 
users, AV and OS developers, scanning is pretty much what we are left 
with.  Anyway, as we are assuming that the malware in question can be 
detected already, let's look at the consequence of a desktop scanner 
not knowing anything about tar.gz packing and the arrival of a piece of 
known malware in such an archive...

Let's assume that the user has a tar.gz handler and the user double-
clicks on the dodgy Email attachment in question (the attachment that 
the shoddy gateway Email scanner should have stopped, even if it 
couldn't scan inside tar.gz files because this is hardly a just-minted 
compression format...).  What happens?  The on-access virus scanner 
says nothing as the tar.gz file hits the disk in some temp dir, as it 
doesn't know anything about tar.gz archives.  For the same reason the 
on-access scanner says nothing when the user's archive-handling program 
opens the tar.gz file from its temp dir.  As no code has so far been 
deposited on the machine in executable form, this is not any kind of 
failure on the part of the desktop scanner.  (Yes, some lily-livered, 
weak-kneed sops may _prefer_ the "reassurance" of the malware code 
inside such files being detected "as soon as possible" but that is not 
a strong (or even useful) criterion for judging a desktop scanner's 

The user now sees, listed in the contents of the archive as displayed 
by their tar.gz archive handler the "card" or "picture" or "document" 
or whatever that the Email message promised, so double-clicks it. _Now_ 
their virus scanner gets excited.  The archive handling program 
extracts the file to a temp dir and the on-access scanner (if set to 
scan on writes and/or closes) detects the malware and pops an alert 
(and blocks further access to the file or automatically quarantines/ 
deletes/etc as it is configured).  If the scanner is only set to scan 
on execute it will pop an alert (and block/quarantine/delete) a moment 
later when the archive handler tries to have the file executed.

There is no failure here.  The desktop scanner "protected" the user, as 

Yes, it is easy for testers to add tests such as "detects malware 
packed in .ZIP files", "detects malware packed in .RAR files", "detects 
malware packed in .TAR.GZ files" but the results of such tests tell you 
squat about the quality of the product.  (In fact, that's not true -- 
as it seems axiomatic that the larger and more complex a software 
project the more bugs it will have, it would seem that the more archive 
formats a scanner can handle the buggier the scanner will be, so maybe 
such tests do tell us something about the quality of the products -- 
the higher the score, the buggier the product will be...)

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]