Multiple AV detection bypass Alert

Discussion in 'other anti-virus software' started by StevieO, Oct 6, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

    Just discovered this and once again AVG seems to be in the clear !


    Multiple Antivirus detection bypass by special crafted archive

    Affected Products:
    * Kaspersky Antivirus
    * BitDefender Antivirus
    * NOD32 Antivirus
    * F-Prot Antivirus
    * Avast Antivirus
    * McAfee Antivirus
    * Sophos Antivirus
    * Symantec Antivurys
    * Dr.Web Antivirus
    * Avira Antivirus
    * Norman Virus Control Antivirus
    * Fortinet Antivirus
    * VBA32 Antivirus
    * Rising Antivirus
    * AntiVir Antivirus
    * eTrust-Iris Antivirus
    * ArcaVir Antivirus
    * eTrust-Vet Antivirus
    * UNA Antivirus
    * TheHacker
    [+] May be others.....

    Not affected:
    * Grisoft AVG AntiVirus
    * Ikarus AntiVirus
    * ClamAV Antivirus
    * Panda Antivirus
    * CAT Quick Heal

    http://shadock.net/secubox/AVCraftedArchive.html


    StevieO
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    That is why I believe in the Layered approach of Security!! What gets bye one the second will stop it!!

    Cheers,
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    It's the EICAR test and NOD handles it.
     
    Last edited: Oct 6, 2005
  4. ----

    ---- Guest

    I wonder about the Antitrojans Ewido and Trojanhunter. Are they affected?
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Reading the analysis below, it looks like it is just another packer and on opening the infected file(s) your AV will detect the malware enclosed providing the AV or AT has the necessary signature.

    Most Anti-Trojans will also get the malicious file(s) when they are opened but usually your AV will detect them first.

    Pilli

    Analysis
    __________

    Specially crafted archive containing a virus will pass
    through the antivirus system without detection.

    An attacker can compress a malicious payload and evade
    detection by some anti-virus software.

    The bypassed malicious content does not pose a risk until
    extracted from the RAR archive file. Malicious content
    will be detected and eliminated by your Antivirus.

    Contrary to Winzip or BitZipper which do not authorize the
    opening of the file, Winrar open & extract it.
     
  6. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    Why do you say NOD handles it when in the screenshots it obviously does not?
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Search the NOD forum there are a number of threads about the EICAR test.
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    As far as i know F-Prot and avast! are affected only in On-Demand scans and not On-Access.
     
  9. ------

    ------ Guest

    You are right it's a different one from the one i thought it was . Lots of anti-virus evading vulnerabilities in the past weeks.
     
  10. -----

    ----- Guest

    That's why i run 2 antivirus in real time. :p
     
  11. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    This can't be taken seriously.

    That's all I have to say, I won't waste any (more) time on this.
     
  12. ----

    ---- Guest

    What tipped you off? Could it be the subtle clue of the smiley?
     
  13. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    I was talking about the test itself, if I wasn't I had quoted the person to whom I was referring. :)
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    They used jotti an virus total to confirm this? Unbelievable! :rolleyes:



    tD
     
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    They did? Omg :eek:
     
  16. ----

    ---- Guest

    Why not? Lots of wilders member do. :)
     
  17. Happy Bytes

    Happy Bytes Guest

    ROFL :D

    What's the deal to patch a MZ Sign into archive file?
    Without a valid PE Header the file will not execute.
    Next, without valid opcode after the entrypoint the file will crash/do nothing
    Next, there's no selfextracting code called which passes the jump to the virus.

    That Rar is able to extract this is a sideeffekt, but has nothing to do with antivirus detection bypass. So what's the problem?
     
  18. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Are you serious or kidding?:eek:
     
  19. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    which av can run together without to cause problems? :eek:
     
  20. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Stephanos G and Smokey the guy's playing with you.
     
  21. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Is possible, and I assume you are right.:D

    But remember, in real life it happens, trying to use f.e. 2 AV's in real-time and 2 firewalls.:eek: ;)
     
  22. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Am I right in assuming that the AV's are only bybassed by the compressed "threat"?and once this "threat" is uncompressed your AV will "jump on it"? if this is the case whats the problem? because anything in a zip/rar/etc file is safe until you uncompress it anyway! or am I missing something here?
     
  23. kalpik

    kalpik Registered Member

    Joined:
    May 26, 2005
    Posts:
    369
    Location:
    Delhi, India
    Exactly! Can we have some more explaination as to why this is being hyped so much?
     
  24. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I wouldn't be afraid of this "bypass" at all. You are fully protected if your real-time protection is turned on.
     
  25. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I'm under the impression people look for problems or "invent them" when they dont really exist because they have too much time on their hands!
     
Loading...
Thread Status:
Not open for further replies.