Major new exploit affects many AVs

http://www.security.ithub.com/article/Virus Scanners Made Moot by New Exploit/164278_1.aspx

"Recently, researcher Andrey Bayora revealed that it is possible to fool the scanners into thinking that a file under scan is one kind, when it is in actuality something entirely different. Bayora (of www.securityelf.org), a Russian-born Israeli, has issued an advisory that details how to bypass many popular Windows AV programs."

http://www.securityelf.org/updmagic.html

http://www.securityelf.org/magicbyte.html

 

This has been posted before. But i don't get something...
Isn't there any "incubation" period for AV vendors to fix this?
I mean first you find the vulnerability, then you send it to all affected vendors, giving them 7 days to fix it. After 7 days you publically announce the vulnerability. But no, they just race to post it in public first to make even more malware based on it. Stupid or i don't get "their" logic?

 

In the list of vulnerable av products he listed eTrust (eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229) That is a really old version I wonder why he didn't test the newer version

 

Hi,

http://www.securityelf.org/magicbyteadv.html (scroll down please)


I wouldn't consider 3 month a short incubation period...


Cheers
qs

 

Thanks i missed that. So this confirms that devs just ignored the warning...

 

Probably because they do not see this as big threat here & now, from the analyst's diary nov 1:http://www.viruslist.com/en/weblog.

 

and also:

http://www.kaspersky.com/technews?id=173127139

Hm, seems to me they started to seeing it as a thread when it was made public.

 

Hmm, i think you mean "as a threat" Correct? No, i don't think they suddenly are seeing it as a threat, i think Roel made that pretty clear, but that doesn't mean that it shouldn't be fixed of course.

 

Yes, sorry for the typo.

Will that fix slow down the scan engine (because it was mentioned to circumvent the "vulnerability" it would be necessary to scan the entire file for file headers/malicious code)?

Thanks,
qs

 

To make it clear: It's not a vulnerability.
That's creating a new version of an already existing malware version.
Even if the most code of the file remains unchanged. By adding fake headers you incrase the filesize (if you keep the rest as it is). And this is not even a new thing. Such things were already performed long time ago with VBS viruses. Adding so called "non-printable" characters as comments in the start of VBS files to try confusing the script interpreter. That was at least really a vulnerability, because comments are comments and they get ignored.

BUT the jumping point with adding "MZ" for instance at the top of a batch file is the following:

Do you know if there exists an "MZ.BAT" or "MZ.COM" or "MZ.CMD" or "MZ.EXE" which would get called with your "MZ" adding in a batch file? As i said before thats basically creating a new version of existing malware. Because who knowns what MZ.XXX makes? So basically you add also "new functionality" to this already existing malware file. Besides, the file size might change. So what do you tell your customers? They got infected by an "pseudo-unknown-virus" who doesn't match for instance the filesize as written in your virus description library? There you have to add it anyway as new version into detection as long as it's not a parasitic virus or changes itself.

 

OK, it is not a vulnerability (for you), perhaps the assigned Bugtraq ID and 13 CVE references were just a mistake of those organizations

The AV company certainly must to know...

"The PATCH will be issued the next week" - this is what the AV companies said. Now, tell me please, WHY they issue a PATCH if, according to you, they must issue a SIGNATURE? (hint - because it is a bug)

So, did you want to say that NOD32 (and other AV) detects viruses by the FILE SIZE or hash? If it was a true - NOD32 should be the first to fail to detect such "a new" virus, but it did not.

Finally, as I point out in my whitepaper, the "changed" viruses STILL detected with the SAME signature.
And then, "a magic" - you change the FIRST byte to anything and the virus is detected, but when you change to "M" (exe magic byte) - the AV fails. What is your conclusion? (hint - the file size IS THE SAME).

I am sorry to say that, but your arguments are ILLOGICAL. I am respect you as " Sr. Virus Researcher & Developer", but I am really did not understand you.

Anyway, I did not mean any offence, and if you feel that you are right - let it be, I do not want to argue on this subject.

Regards,
Andrey.

 

Seems to me you did not understand what i said. This wasn't related to virus detection.

Just reread Roel's weblog. He's basicly saying the same with creating a new version.