Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

<Quote>

To: BugTraq
Subject: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations -
part 2
Date: Mar 4 2005 9:03PM
Author: Andrey Bayora <andrey hiddenbit org>
Message-ID: <1109970190.4228cd0e27138@www.hiddenbit.org>

The first part is here:
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html

First, this post isn't about how dangerous GDI+ bug or malicious JPEG
image, but how good is your antivirus software.

The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure date).

Here is the link to results, JPEG file and my paper (GCIH practical)
that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm

This one vendor (Symantec) that can detect it, obviously do it with the
heuristic detection (I don't work for them and didn't send them any
file, moreover I know cases when Symantec didn't detect a virus that
other vendors do).

ClamAV antivirus detected this JPEG file 4 month ago, but strangely
can't detect it now.

What happened?

What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many
antivirus software vendors miss it, did it can represent the quality of
heuristic engines?

OK, we know that any antivirus software can provide 100% protection?

P.S. After my first post (October 14,2004) about this problem - all
antivirus software vendors added detection to the demo file provided by
me in couple of hours. Sadly for me, but it seems that they prefer
playing cat and mouse and not improve heuristic engines?

Regards,
Andrey Bayora.
CISSP, GCIH

</Unquote>

Tried it for myself with latest definitions and all bells and whistles set on high/deep/advanced etc. with NOD32 and like the post states, no evidence of anything out of the ordinary found.

 

Sorry for posting again, found this in reply to the quoted text:

<Quote>

Bugtraq: Re: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

From: Trog (trog_at_uncon.org)
Date: Mar 07 2005

* Next message: Martin Pitt: "[USN-91-1] EXIF library vulnerability"
* Previous message: CIRT Advisory: "CIRT.DK Advisory - SafeNet Inc Sentinel License Manager 7.2.0.2 Buffer Overflow"
* In reply to: Andrey Bayora: "Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2"
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 2005-03-04 at 15:03 -0600, Andrey Bayora wrote:

> The issue is: only 1 out of 23 tested antivirus software can detect
> malicious JPEG image (after 6 month from the public disclosure date).

Perhaps this fact should have rung some alarm bells in your mind.

>
> Here is the link to results, JPEG file and my paper (GCIH practical)
> that describes how to create this one:
> http://www.hiddenbit.org/jpeg.htm

I had a look at your supposed JPEG exploit file, bulzano2.jpg,
downloaded from the URL you supplied above, and read the 84 page PDF
you've generated to explain your processes.

You appear to have made an error.

The segments of a JPEG file are chained together. In bulzano2.jpg, the
chain goes as follows:

Offset Marker Size Comment
--------------------------

0x0000 FFDB Start of image marker
0x0002 FFE0 0010 JFIF APP0 marker: next in chain = 0x0004
+0x0010=0x0014
0x0014 FFED 191c APP marker: next in chain = 0x0016+0x191c=0x1932

According to your paper you've added your exploit at offset 0x0210,
which is in the middle of the APP segment that ranges from 0x0018 to
0x1932, as such this is not a valid exploit. The data at 0x0210 may look
like a segment marker, but isn't.

Please explain if I have missed something.

-trog

</Unquote>