Major new exploit affects many AVs

Discussion in 'other anti-virus software' started by sard, Nov 5, 2005.

Thread Status:
Not open for further replies.
  1. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    http://www.security.ithub.com/article/Virus Scanners Made Moot by New Exploit/164278_1.aspx

    "Recently, researcher Andrey Bayora revealed that it is possible to fool the scanners into thinking that a file under scan is one kind, when it is in actuality something entirely different. Bayora (of www.securityelf.org), a Russian-born Israeli, has issued an advisory that details how to bypass many popular Windows AV programs."

    http://www.securityelf.org/updmagic.html

    http://www.securityelf.org/magicbyte.html
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    This has been posted before. But i don't get something...
    Isn't there any "incubation" period for AV vendors to fix this?
    I mean first you find the vulnerability, then you send it to all affected vendors, giving them 7 days to fix it. After 7 days you publically announce the vulnerability. But no, they just race to post it in public first to make even more malware based on it. Stupid or i don't get "their" logic?
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    In the list of vulnerable av products he listed eTrust (eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229) That is a really old version I wonder why he didn't test the newer version
     

    Attached Files:

  4. que sera

    que sera Guest

    Hi,

    http://www.securityelf.org/magicbyteadv.html (scroll down please)


    I wouldn't consider 3 month a short incubation period... ;)


    Cheers
    qs
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Thanks i missed that. So this confirms that devs just ignored the warning...
     
  6. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Probably because they do not see this as big threat here & now, from the analyst's diary nov 1:http://www.viruslist.com/en/weblog.:)
     
  7. que sera

    que sera Guest

    and also:

    http://www.kaspersky.com/technews?id=173127139
    Hm, seems to me they started to seeing it as a thread when it was made public. ;)
     
  8. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hmm, i think you mean "as a threat" Correct? No, i don't think they suddenly are seeing it as a threat, i think Roel made that pretty clear, but that doesn't mean that it shouldn't be fixed of course.:)
     
  9. que sera

    que sera Guest

    Yes, sorry for the typo. :)

    Will that fix slow down the scan engine (because it was mentioned to circumvent the "vulnerability" it would be necessary to scan the entire file for file headers/malicious code)?

    Thanks,
    qs
     
  10. Happy Bytes

    Happy Bytes Guest

    To make it clear: It's not a vulnerability.
    That's creating a new version of an already existing malware version.
    Even if the most code of the file remains unchanged. By adding fake headers you incrase the filesize (if you keep the rest as it is). And this is not even a new thing. Such things were already performed long time ago with VBS viruses. Adding so called "non-printable" characters as comments in the start of VBS files to try confusing the script interpreter. That was at least really a vulnerability, because comments are comments and they get ignored.

    BUT the jumping point with adding "MZ" for instance at the top of a batch file is the following:

    Do you know if there exists an "MZ.BAT" or "MZ.COM" or "MZ.CMD" or "MZ.EXE" which would get called with your "MZ" adding in a batch file? As i said before thats basically creating a new version of existing malware. Because who knowns what MZ.XXX makes? So basically you add also "new functionality" to this already existing malware file. Besides, the file size might change. So what do you tell your customers? They got infected by an "pseudo-unknown-virus" who doesn't match for instance the filesize as written in your virus description library? There you have to add it anyway as new version into detection as long as it's not a parasitic virus or changes itself.
     
  11. OK, it is not a vulnerability (for you), perhaps the assigned Bugtraq ID and 13 CVE references were just a mistake of those organizations :)

    The AV company certainly must to know...:)

    "The PATCH will be issued the next week" - this is what the AV companies said. Now, tell me please, WHY they issue a PATCH if, according to you, they must issue a SIGNATURE? (hint - because it is a bug)

    So, did you want to say that NOD32 (and other AV) detects viruses by the FILE SIZE or hash? If it was a true - NOD32 should be the first to fail to detect such "a new" virus, but it did not.

    Finally, as I point out in my whitepaper, the "changed" viruses STILL detected with the SAME signature.
    And then, "a magic" - you change the FIRST byte to anything and the virus is detected, but when you change to "M" (exe magic byte) - the AV fails. What is your conclusion? (hint - the file size IS THE SAME).

    I am sorry to say that, but your arguments are ILLOGICAL. I am respect you as " Sr. Virus Researcher & Developer", but I am really did not understand you.

    Anyway, I did not mean any offence, and if you feel that you are right - let it be, I do not want to argue on this subject.

    Regards,
    Andrey.
     
  12. Happy Bytes

    Happy Bytes Guest

    Seems to me you did not understand what i said. This wasn't related to virus detection.

    Just reread Roel's weblog. He's basicly saying the same with creating a new version.
     
Loading...
Thread Status:
Not open for further replies.