mailing list archives
Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
From: trains () doctorunix com
Date: Tue, 25 Oct 2005 09:43:43 -0500
Quoting Andrey Bayora <andrey () securityelf org>:
Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
forged magic byte.
AUTHOR: Andrey Bayora (www.securityelf.org)
Some file types like .bat, .html and .eml can be properly executed even if
they have some "unrelated" beginning. For example, in the case of .BAT
files - it is possible to prepend some "junk" data at the beginning of the
file without altering correct execution of the batch file. In my tests, I
used the calc.exe headers (first 120 bytes - middle of the dosstub section)
to change 5 different files of existing viruses. In addition, the simplest
test of this vulnerability is to prepend only the magic byte (MZ) to the
existing malicious file and check if this file is detected by antivirus
I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to
avoid this type of problem. This may sound like a plug for Paul
Daniels' work, but since it's OSS, why not?
inflex features pedantic scanning, wherein it will reject an email
attachment if the file name matches a regex [OR] the attachment gets a
hit by your AV scanner [OR] any number of other conditions.
This finding certainly makes the case for layering security.
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services () doctorunix com
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/