Full Disclosure mailing list archives

Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

From: "Vincent DUVERNET (Nolmë Informatique)" <vincent.duvernet () nolme com>
Date: Sat, 05 Mar 2005 13:05:55 +0100

Symantec found something that other editor didn't ? Whoaw, impressivefor a software which let go throw 700 malwares on PC ;p

About Panda Software version, you've used on old version of InternetSecurity 2004 which is actually : 8.05.02 (don't found anything too)

Internet security 2005 is : 9.01.02


Andrey Bayora wrote:

The first part is here:
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html

First, this post isn’t about “how dangerous GDI+ bug or malicious JPEG
image”, but “how good” is your antivirus software.

The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure date).

Here is the link to results, JPEG file and my paper (GCIH practical)
that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm

This one vendor (Symantec) that can detect it, obviously do it with the
“heuristic” detection (I don’t work for them and didn’t send them any
file, moreover I know cases when Symantec didn’t detect a virus that
“other” vendors do).
ClamAV antivirus detected this JPEG file 4 month ago, but strangely
can’t detect it now.
What happened?
What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many
antivirus software vendors miss it, did it can represent the quality of
heuristic engines?

OK, we know that any antivirus software can provide 100% protection…

P.S.  After my first post (October 14,2004) about this problem – all
antivirus software vendors added detection to the demo file provided by
me in couple of hours. Sadly for me, but it seems that they prefer
“playing cat and mouse” and not improve heuristic engines…

Regards,
Andrey Bayora.
CISSP, GCIH




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 Andrey Bayora (Mar 04)
- Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 Vincent DUVERNET (Nolmë Informatique) (Mar 05)
- Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 Trog (Mar 07)
  - RE: Bypass of 22 Antivirus software with GDI+bug exploit Mutations - part 2 Randall M (Mar 07)
- <Possible follow-ups>
- Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 Andrey Bayora (Mar 07)