flyrfan111
October 26th, 2005, 02:36 AM
Multiple Vendor AVs Magic Byte Detection Vuln.
from
»www.securityfocus.com/bid/15189/info
"
..
Multiple vendor anti-virus software is prone to a detection evasion vulnerability.
The problem presents itself in the way various anti-virus software determines the type of file it is scanning.
An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine...
...
Vulnerable:
Ukranian National Antivirus UNA
Trend Micro PC-cillin 2005
Trend Micro OfficeScan Corporate Edition 7.0
Sophos Anti-Virus 3.91
Panda Titanium
Norman Virus Control 5.81
McAfee Internet Security Suite 7.1.5
Kaspersky Labs Anti-Virus 5.0.372
Ikarus Ikarus 2.32
F-Prot Antivirus 3.16 c
eTrust eTrust CA 7.0.14
Dr.Web Dr.Web 4.32 b
AVG AVG Anti-Virus 7.0.323
ArcaBit ArcaVir 2005.0
Not Vulnerable:
VirusBlokAda VBA32
Symantec Norton Internet Security 2005 11.5.6 .14
Symantec AntiVirus Corporate Edition 10.0
Sophos Anti-Virus 5.0.2
Sophos Anti-Virus 3.95
Softwin BitDefender 8.0
NOD32 NOD32 2.50.25
H+BEDV AntiVir Personal 6.31 .00.01
F-Secure Anti-Virus 5.56
ClamWin ClamWin 0.86.1
Avast! Antivirus Home Edition 4.6.655 ..."
edit: from
»archives.neohapsis.com/archives/fulldi..
"..
The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected. ..."
I wonder how would AT software fare, some of them could be vulnerable too.
And FWs that scan inbound email could also be fooled i think.
from
»www.securityfocus.com/bid/15189/info
"
..
Multiple vendor anti-virus software is prone to a detection evasion vulnerability.
The problem presents itself in the way various anti-virus software determines the type of file it is scanning.
An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine...
...
Vulnerable:
Ukranian National Antivirus UNA
Trend Micro PC-cillin 2005
Trend Micro OfficeScan Corporate Edition 7.0
Sophos Anti-Virus 3.91
Panda Titanium
Norman Virus Control 5.81
McAfee Internet Security Suite 7.1.5
Kaspersky Labs Anti-Virus 5.0.372
Ikarus Ikarus 2.32
F-Prot Antivirus 3.16 c
eTrust eTrust CA 7.0.14
Dr.Web Dr.Web 4.32 b
AVG AVG Anti-Virus 7.0.323
ArcaBit ArcaVir 2005.0
Not Vulnerable:
VirusBlokAda VBA32
Symantec Norton Internet Security 2005 11.5.6 .14
Symantec AntiVirus Corporate Edition 10.0
Sophos Anti-Virus 5.0.2
Sophos Anti-Virus 3.95
Softwin BitDefender 8.0
NOD32 NOD32 2.50.25
H+BEDV AntiVir Personal 6.31 .00.01
F-Secure Anti-Virus 5.56
ClamWin ClamWin 0.86.1
Avast! Antivirus Home Edition 4.6.655 ..."
edit: from
»archives.neohapsis.com/archives/fulldi..
"..
The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected. ..."
I wonder how would AT software fare, some of them could be vulnerable too.
And FWs that scan inbound email could also be fooled i think.