________________________________________________________________________ From the low-hanging-fruit-department Bitdefender generic evasion of heuristics (for PDF) ________________________________________________________________________ CHEAP Plug : ************************************************************************ You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! ************************************************************************ Release mode: Coordinated but limited disclosure. Ref : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics) WWW : http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html Vendor : http://www.bitdefender.com Status : Patched (with sig update after 13.05.2009) CVE : none provided Credit : none OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : 5 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Bitdefender Antivirus 2009 - Bitdefender Internet Security 2009 - Bitdefender Total Security 2009 - Bitdefender Small Office Security - Bitdefender for Fileservers - Bitdefender for Samba - Bitdefender for Sharepoint - Bitdefender Security for Exchange - Bitdefender Security for Mailservers - Bitdefender for ISA Servers - Bitdefender Client security Bundles: - BitDefender Business Security - Bitdefender Antivirus for Unices - Bitdefender Corporate Security - Bitdefender SBS Security I. Background ~~~~~~~~~~~~~ Quote: "BitDefender™ provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA." II. Description ~~~~~~~~~~~~~~~ The heuristics can be bypassed by a special formatted PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain code paths in the AV engine "through various means". III. Impact ~~~~~~~~~~~ To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html Interestingly this opens the possibility to evade at scan time and run-time. IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY 08/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 13/05/2009 : Bitdefender notifies my that the patch was deployed. [1] Bitdefender is encouraged to leave their security contact details at http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.