Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
From: Thierry Zoller <Thierry () sniff-em com>
Date: Thu, 27 Oct 2005 20:07:48 +0200

Dear James,

WJK> You are effectively altering existing viruses to the point that
WJK> AV scanners do not detect them.
No, he is changing a few bytes only.

WJK>  If your altered virus sample
WJK> still executes correctly, you have simply created a new virus 
WJK> variant.
No, there is no variant, the virus executes EXACTLY as before. A
variant acts differenlty then a precedent version, else it would be no
variant. To your AV engine it is a variant, yes, but only because it is flawed.

WJK> Consequently, the issue that you describe is *not* a
WJK> vulnerability issue, but rather just an example of a new variant
WJK> that has not yet been added to an AV vendor's database of "known
WJK> viruses".

Thank you James, this _to my knowledge_ (perhaps the guy from vmyths
knows better) is the first time the complete failure of todays AV
solutions is shown naked publicaly directly by a representant of an
AV company. This statement coming from a AV vendor is
simply exposing what is known in the sec. community since many years.

Instead of beahviour analysis, most AV vendors choose uterly stupid
PE section fingerprints, defeated by adding a few bytes. Go figure. of
course this is no vulnerability, it's a feature!

My theory on this is simple :
- ALL files can't be analysed the same way by AV engines (due to speed
  issues) (In other words not all analysis/fingerpritns is applied to
  every file)
  
The solution was to make the engines a bit "smarter", i.e analyse the
header to determine the type and then ONLY apply the signatures/heuristics
which apply to the type of the file (i am not speaking about the extension
of the file here) thus speeding up the process. Changing the header
just makes the smart engines look...well...  a bit dumb in my regards.

-- 
Regards,
Thierry Zoller
http://thierry.sniff-em.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault