Multiple Vendor AV Vulnerability

Discussion in 'other anti-virus software' started by flyrfan111, Oct 26, 2005.

Thread Status:
Not open for further replies.
  1. flyrfan111

    flyrfan111 Registered Member

    Jun 1, 2004
    Multiple Vendor AVs Magic Byte Detection Vuln.

    Multiple vendor anti-virus software is prone to a detection evasion vulnerability.

    The problem presents itself in the way various anti-virus software determines the type of file it is scanning.

    An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine...
    Ukranian National Antivirus UNA
    Trend Micro PC-cillin 2005
    Trend Micro OfficeScan Corporate Edition 7.0
    Sophos Anti-Virus 3.91
    Panda Titanium
    Norman Virus Control 5.81
    McAfee Internet Security Suite 7.1.5
    Kaspersky Labs Anti-Virus 5.0.372
    Ikarus Ikarus 2.32
    F-Prot Antivirus 3.16 c
    eTrust eTrust CA 7.0.14
    Dr.Web Dr.Web 4.32 b
    AVG AVG Anti-Virus 7.0.323
    ArcaBit ArcaVir 2005.0

    Not Vulnerable:
    VirusBlokAda VBA32
    Symantec Norton Internet Security 2005 11.5.6 .14
    Symantec AntiVirus Corporate Edition 10.0
    Sophos Anti-Virus 5.0.2
    Sophos Anti-Virus 3.95
    Softwin BitDefender 8.0
    NOD32 NOD32 2.50.25
    H+BEDV AntiVir Personal 6.31 .00.01
    F-Secure Anti-Virus 5.56
    ClamWin ClamWin 0.86.1
    Avast! Antivirus Home Edition 4.6.655 ..."

    edit: from
    The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected. ..."

    I wonder how would AT software fare, some of them could be vulnerable too.

    And FWs that scan inbound email could also be fooled i think.
  2. Happy Bytes

    Happy Bytes Guest

    Credit: Wayne Langlois and Andrey Bayora are credited with the discovery of this vulnerability. :eek:
  3. RejZoR

    RejZoR Registered Member

    May 31, 2004
    Hm, is there anything wrong with bold text Happy Bytes?

    Also antiviruses shouldn't be affected if you use "Scan all files" right?
  4. flyrfan111

    flyrfan111 Registered Member

    Jun 1, 2004
    I don't think so, I am sure they tested that and it would be mentioned as a workaround if that were the case.


    I did not found any effective one besides of patching the vulnerable engine.


    The idea for this vulnerability came during discussions from Wayne Langlois
    at, who hinted that JPEGs could probably be exploited in
    this way.
  5. Firecat

    Firecat Registered Member

    Jan 2, 2005
    The land of no identity :D
    Perhaps Happy Bytes is referring to Wayne Langlois from DiamondCS....and thats why the bold text I guess.
Thread Status:
Not open for further replies.