mailing list archives
Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
From: Bipin Gautam <gautam.bipin () gmail com>
Date: Fri, 28 Oct 2005 17:32:42 +0545
Consequently, the issue that you describe is *not* a
vulnerability issue, but rather just an example of a new variant
that has not yet been added to an AV vendor's database of "known
yap, maybe* but i consider this issue equv. to the 'classic issue' of
adding NOP to the shell-code to bypass IDS/IPS You ain't gonna add
every possible combinations as signatures!
Instead of beahviour analysis, most AV vendors choose uterly stupid
PE section fingerprints, defeated by adding a few bytes. Go figure. of
course this is no vulnerability, it's a feature!
Is, CA eTrust Antivirus, run in Reviewer mode by default?
(sorry, i haven't tryed ant Av lately)
My theory on this is simple :
- ALL files can't be analysed the same way by
AV engines (due to speed issues) (In other
words not all analysis/fingerpritns is applied to
The solution was to make the engines a bit "smarter", i.e analyse the
header to determine the type and then ONLY apply the signatures/heuristics
which apply to the type of the file (i am not speaking about the extension
of the file here) thus speeding up the process. Changing the header
just makes the smart engines look...well... a bit dumb in my regards.
The AV vendors aren't going to patch their products if they
don't detect your PoC; they're just going to write a new
signature or modify an existing signature to detect your
new variants. The fact that it can and will be fixed by
AV signatures instead of product patches should help you
figure out if this is a product vulnerability issue or just
a "new virus variant" issue.
My defination of variant are bit straight forward. And sure isn't a
'universal trick' that can be used to modified any malicious
executable (which has known Av signature) by a 8 year old with 0
programming knowledge or by using any special tools to make it
un-detectable, later. Admit it... Av vendors aren't going to
doyuble/tripple their Av defination to detect all of such possible
Common, is the execution point of ANY instruction code or program flow
is being changed?
There are two types of people in the world: those who
complain about problems, and those who find solutions to
problems. Where's your superior AV scanner?
Lastly, yap I also feel there are 2 type of ppl. in the world. One who
gives answers to a question and the other who askz another another
question AS the answer of the previous question.
Zeroth law of security: The possibility of poking a system from lower
privilege is zero unless & until there is possibility of direct,
indirect or consequential communication between the two...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/