AVs test against JPEG exploits

Discussion in 'other anti-virus software' started by kareldjag, Mar 7, 2005.

Thread Status:
Not open for further replies.
  1. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    An "old" (october 2004) but a new test files.
    The next link is a recent test of some AVs (on Virus Total and Jotti) against JPEG exploits.

    I've verified the test and Kaspersky and Norton was the only ones to detect the infected file (on VirusTotal/Jotti) and i attached the resultat the end of the post.
    Anyone can do the same test with his AV.

    http://www.hiddenbit.org/jpeg.htm

    On the disclosure, the author said that AV vendors "prefer "playing cat and mouse" and not improve heuristic engines".

    Regards
     

    Attached Files:

  2. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    timely post kareldjag last nite kav 6 prototype found 2 instances of this backdoor trojan programm win.32 after my korean boarder went for a cruise to her chinese /korean sites. I ran a scan after getting home and let kav disinfect/delete file. Nice to see a comfirmation here.

    Kav6 also disinfects it before download.
     
    Last edited: Mar 7, 2005
  3. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Tested on 3 Pc's
    PC 1 - KAV 5 Per. (v.146 I believe), it was missed it on execution(Update!), but got it on the OD scan. 227 got it on access of the zip.

    PC 2 - Gdata, caught it at Download.

    PC 3 - McAfee 8.0i with scan archives on caught before download, and without Zip scan on access.

    HTH
     
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I agree with that.

    Best regards,
    Firefighter!
     

    Attached Files:

  5. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Also Ewido 3.0 was able to detect that.

    Best regards,
    Firefighter!
     

    Attached Files:

  6. KERANO

    KERANO Guest

    What heppend if you run that "picture"? Does it display a picture or just damage a system.

    Does it depense of which program you use to open "picture"?

    Thanks
     
  7. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    The problem is that the antivirus programs are currently only detecting the shellcode inside the example exploit JPEG - not the exploit itself. If you replace the shellcode with another, it will go undetected.

    I changed our scan engine yesterday, this "new" exploit example uses a Photoshop specific extension of the JPEG format to "hide" the exploit.
     
  8. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    Both F-Secure and McAfee found the virus here...
     
  9. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Now it detected, but 2 days ago it didn't...
     
  10. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    how did avast do with this?
     
  11. JimF

    JimF Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    54
    Location:
    Allentown, PA USA
    I just downloaded the latest avast! beta (4.6.614) with today's definitions and it did not detect it.
     
  12. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Same here... Not good...
     
Loading...
Thread Status:
Not open for further replies.