Hello Debasis, Please see my inline comments below. Thanks. Regards, Andrey ----- Original Message ----- From: "Debasis Mohanty" <mail@xxxxxxxxxxxxxxxxxx> To: "'Andrey Bayora'" <andrey@xxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx> Cc: <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Tuesday, October 25, 2005 7:17 PM Subject: RE: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte > Hello Andrey, > Few comments on this - > Correct me if I am wrong, "forged magic byte" might not always be able to > fool the AV in real scenario I tested this exploit with REAL viruses and REAL anti-virus programs (see my whitepaper at http://www.securityelf.org/magicbyte.html). And you are right - not ALL anti-virus programs are prone to this bug - only 12 vendors that I found. >(especially EXEs) unless you are talking about > Static Virus scanners. In past few years the AV scanning technology has > improved a lot and has gone even beyond "heuristic scanning techniques". "Static Virus scanners" -? There are list of 15 vulnerable anti-virus programs in my advisory. > > >> The problem exists in the scanning engine - in the routine that > determines the file type. > >> If some file types (file types tested are .BAT, .HTML and .EML) changed > to have the MAGIC BYTE > >> of the EXE files (MZ) at the beginning, then many antivirus programs will > be unable to detect > >> the malicious file. It will break the normal flow of the antivirus > scanning and many existent > >> and future viruses will be undetected. > > Especially in case of EXEs, AFAIK not all EXEs has the same 'MAGIC BYTE' > (MZ). Just a second... I did not say this, the issue is *prepending magic byte of one file type to another*. In my test - it was enough to prepend MZ to .BAT, .HTML or .EML. to be UNDETECTABLE for many anti-virus programs. > MZ only appears in the first two bytes of Win32 executable files. Most > older file types such as original .com files, any Linux/Mac files, and > almost all scripting files do not contain MZ in the header. In fact the > EICAR test virus which can be represented as a .txt or a .com file is one > such file. It is a fully executable .com file that does not contain the MZ > bytes and still executes on Win32. This implies that the AV scan engine > doesn't just rely on the 'magic byte'. Changing the magic byte might fool > the static AV scanners and maybe some current Avs but this might not work in > case of real Viruses. As the scan engine do a heuristic scan and doesn't > just rely upon the magic byte. You are right, but... as far as I know; the AV has some FILTER that determines file type BEFORE scanning. This FILTER is responsible for minimizing the scan time of AV programs (like: if it is .EXE file, why check virus definitions for VB or HTML viruses?). Here is the bug - TO FOOL THE FILTER (which, I believe, is the part of the engine) > I published a paper on similar topi > "Anti-Virus Evasion Techniques" almost a year back which talks about various > evasion techniques. It can be downloaded from here : > http://hackingspirits.com/eth-hac/papers/whitepapers.asp I read it, nice paper. About 4 month ago, I published a whitepaper "Software Misuse: from malicious actions to mind control." at http://www.securityelf.org/whitepapers.html where I describe using *commercial* software to create malware and avoid AV detection by non- technical means and malware that can ATTACK PEOPLE and influence their mind through subliminal messages... > > > As I haven't tested your finding on real viruses so can't say if at all I am > wrong especially incase comments related to EXEs. However, in anycase if > this exploit works for real viruses then this will imply that heuristic scan > is a Joke ;-). Although heuristics can be fooled by many advance techniques > (eg - obfuscation / polymorphism) but if it is fooled by this technique then > I believe there are lot of work waiting for Guys @ AV Schools ;-) Maybe...:) > > > - Tr0y (www.hackingspirits.com) > > > > > > -----Original Message----- > From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx > [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Andrey > Bayora > Sent: Tuesday, October 25, 2005 8:38 AM > To: full-disclosure@xxxxxxxxxxxxxxxxx > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: [Full-disclosure] Multiple Vendor Anti-Virus Software > DetectionEvasion Vulnerability through forged magic byte > > Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through > forged magic byte. > > > > AUTHOR: Andrey Bayora (www.securityelf.org) > > > > For more details, screenshots and examples please read my article "The Magic > of magic byte" at www.securityelf.org . In addition, you will find a sample > "triple headed" program which has 3 different 'execution entry points', > depending on the extension of the file (exe, html or eml) - just change the > extension and the SAME file will be executed by (at least) THREE DIFFERENT > programs! (thanks to contributing author Wayne Langlois from > www.diamondcs.com.au). > > DATE: October 25, 2005 > > > > VULNERABLE vendors and software (tested): > > > > 1. ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver > 2005-03-06, package ver 2005-06-21) > > 2. AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27) > > 3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229) > > 4. Dr.Web (v.4.32b, update 27.06.2005) > > 5. F-Prot (ver. 3.16c, update 6/24/2005) > > 6. Ikarus (latest demo version for DOS) > > 7. Kaspersky (update 24 June, ver. 5.0.372) > > 8. McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08, > engine 4.4.00, dat 4.0.4519 6/22/2005) > > 9. McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521, > engine 4400) > > 10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23) > > 11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern > 2.701.00) > > 12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.00 > 6/23/2005) > > 13. Panda Titanium 2005 (updates 24 June, ver 4.02.01) > > 14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265) > > 15. Sophos 3.91 (engine 2.28.4, virData 3.91) > > > > IMPORTANT NOTE: > > Similar vulnerability may exist in many other antivirus\anti-spyware desktop > and gateway products. In addition, various "file filter" solutions may be > affected as well. > > > > NOT VULNERABLE vendors and software (tested): > > > > 1. F-Secure (updates 24 June, ver 5.56 b.10450) > > 2. Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005) > > 3. BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934) > > 4. ClamWin (ver. 0.86.1, upd 24 June 2005) > > 5. NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152) > > 6. Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7) > > 7. Norton Internet Security 2005 (ver 11.5.6.14) > > 8. VBA32 (ver 3.10.4, updates 27.06.2005) > > 9. HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def > 6.31.0.109 6/24/2005) > > 10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005) > > 11. Sophos 3.95 (engine 2.30.4) > > > > SEVERITY: critical > > > > DESCRIPTION: > > > > The problem exists in the scanning engine - in the routine that determines > the file type. If some file types (file types tested are .BAT, .HTML and > .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, > then many antivirus programs will be unable to detect the malicious file. It > will break the normal flow of the antivirus scanning and many existent and > future viruses will be undetected. > > > > NOTE: In my test, I used the EXE headers (MZ), but it is possible to use > other headers (magic byte) that will lead to the same effect. > > > > ANALYSIS: > > > > Some file types like .bat, .html and .eml can be properly executed even if > they have some "unrelated" beginning. For example, in the case of .BAT files > - it is possible to prepend some "junk" data at the beginning of the file > without altering correct execution of the batch file. In my tests, I used > the calc.exe headers (first 120 bytes - middle of the dosstub section) to > change 5 different files of existing viruses. In addition, the simplest test > of this vulnerability is to prepend only the magic byte (MZ) to the existing > malicious file and check if this file is detected by antivirus program. > > > > NOTE, that this is NOT the case where the change of existing virus file > resulted in the "broken" detection signature (see details and the test logic > in "The Magic of magic byte" article at www.securityelf.org). > > > > WORKAROUND: > > I did not found any effective one besides of patching the vulnerable engine. > > > > CREDITS: > > The idea for this vulnerability came during discussions from Wayne Langlois > at diamondcs.com.au, who hinted that JPEGs could probably be exploited in > this way. > > > > TIME LINE: > > > > July 13, 2005 - Initial vendor notification > > July 16, 2005 - Second vendor notification > > .....Waiting.....Waiting.... > > October 24, 2005 - Public disclosure (uncoordinated) > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > >
