Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
From: trains () doctorunix com
Date: Tue, 25 Oct 2005 09:43:43 -0500

Quoting Andrey Bayora <andrey () securityelf org>:

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
forged magic byte.
AUTHOR: Andrey Bayora (www.securityelf.org)

Some file types like .bat, .html and .eml can be properly executed even if
they have some "unrelated" beginning. For example, in the case of .BAT
files - it is possible to prepend some "junk" data at the beginning of the
file without altering correct execution of the batch file. In my tests, I
used the calc.exe headers (first 120 bytes - middle of the dosstub section)
to change 5 different files of existing viruses. In addition, the simplest
test of this vulnerability is to prepend only the magic byte (MZ) to the
existing malicious file and check if this file is detected by antivirus
program.

I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to avoid this type of problem. This may sound like a plug for Paul Daniels' work, but since it's OSS, why not?

inflex features pedantic scanning, wherein it will reject an email attachment if the file name matches a regex [OR] the attachment gets a hit by your AV scanner [OR] any number of other conditions.

This finding certainly makes the case for layering security.

t

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services () doctorunix com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault