Pretty crazy that we're closer to 2030, than we are 2005. Where did the time go!
0 Members and 1 Guest are viewing this topic.
Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability throughforged magic byte.AUTHOR: Andrey Bayora (www.securityelf.org)For more details, screenshots and examples please read my article "The Magicof magic byte" at www.securityelf.org . In addition, you will find a sample"triple headed" program which has 3 different 'execution entry points',depending on the extension of the file (exe, html or eml) - just change theextension and the SAME file will be executed by (at least) THREE DIFFERENTprograms! (thanks to contributing author Wayne Langlois fromwww.diamondcs.com.au).DATE: October 25, 2005VULNERABLE vendors and software (tested):1. ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver2005-03-06, package ver 2005-06-21)2. AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)4. Dr.Web (v.4.32b, update 27.06.2005)5. F-Prot (ver. 3.16c, update 6/24/2005)6. Ikarus (latest demo version for DOS)7. Kaspersky (update 24 June, ver. 5.0.372)8. McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,engine 4.4.00, dat 4.0.4519 6/22/2005)9. McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521,engine 4400)10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern2.701.00)12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.006/23/2005)13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)15. Sophos 3.91 (engine 2.28.4, virData 3.91)IMPORTANT NOTE:Similar vulnerability may exist in many other antivirus\anti-spyware desktopand gateway products. In addition, various "file filter" solutions may beaffected as well.NOT VULNERABLE vendors and software (tested):1. F-Secure (updates 24 June, ver 5.56 b.10450)2. Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)3. BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)4. ClamWin (ver. 0.86.1, upd 24 June 2005)5. NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)6. Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)7. Norton Internet Security 2005 (ver 11.5.6.14)8. VBA32 (ver 3.10.4, updates 27.06.2005)9. HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def6.31.0.109 6/24/2005)10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)11. Sophos 3.95 (engine 2.30.4)SEVERITY: criticalDESCRIPTION:The problem exists in the scanning engine - in the routine that determinesthe file type. If some file types (file types tested are .BAT, .HTML and.EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning,then many antivirus programs will be unable to detect the malicious file. Itwill break the normal flow of the antivirus scanning and many existent andfuture viruses will be undetected.NOTE: In my test, I used the EXE headers (MZ), but it is possible to useother headers (magic byte) that will lead to the same effect.ANALYSIS:Some file types like .bat, .html and .eml can be properly executed even ifthey have some "unrelated" beginning. For example, in the case of .BATfiles - it is possible to prepend some "junk" data at the beginning of thefile without altering correct execution of the batch file. In my tests, Iused the calc.exe headers (first 120 bytes - middle of the dosstub section)to change 5 different files of existing viruses. In addition, the simplesttest of this vulnerability is to prepend only the magic byte (MZ) to theexisting malicious file and check if this file is detected by antivirusprogram.NOTE, that this is NOT the case where the change of existing virus fileresulted in the "broken" detection signature (see details and the test logicin "The Magic of magic byte" article at www.securityelf.org).WORKAROUND:I did not found any effective one besides of patching the vulnerable engine.CREDITS:The idea for this vulnerability came during discussions from Wayne Langloisat diamondcs.com.au, who hinted that JPEGs could probably be exploited inthis way.TIME LINE:July 13, 2005 - Initial vendor notificationJuly 16, 2005 - Second vendor notification.....Waiting.....Waiting....October 24, 2005 - Public disclosure (uncoordinated)_______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
I'd personally do as Joe suggests
You might be right about that, Joe.
I forwarded the Magic Byte message thread to Trend Micro and this was theirresponse... they want me and my clients to upgrade to their latest versionin order to get realistic protection... Anyone from Trend Micro listening? -----Original Message-----From: retail@support.trendmicro.com [mailto:retail@support.trendmicro.com] Sent: Saturday, October 29, 2005 4:02 AMTo: auri@auri.netSubject: [SR #:1-40483753] RE: Update for the magic byte bugDear Valued Client, Thank you for taking the time to contact and update us with this concern, Iam Jonathan from the Consumer Support Team and I'll be assisting you on thismatter.The issue you are inquiring about is already been addressed in the TrendMicro PC-Cillin Internet Security 2006 version.Hope this proves to be useful to you!Please let me know if we were able to resolve your concern(s) so we mayformally close this case. Your immediate response will be mostappreciated. Again, thank you for writing us. Should you have furtherinquiries, please do not hesitate to call us. Other means of reaching ouroffice are indicated below.Please do not hesitate to contact us back should you have any furtherconcern/s.NOTE: The Knowledge Base is a depository of information allowing users toget help in resolving any issue that may arise in using Trend Microproducts. You can always visit the Knowledge Base website at this link<http://kb.trendmicro.com/solutions/solutionSearch.asp>Sincerely Yours,Jonathan LuaConsumer Support Team, Product Support ServicesTrendLabs HQ, Trend Micro IncorporatedP.S.In order for us to have a history of our correspondence and help us processyour inquiry faster, please DO NOT DELETE the subject and the contents ofthis email. The subject contains the case ID while the content serves as thecase history.Are your products new pattern formats (NPF) compliant?Please see http://www.trendmicro.com/npf to verify product compliancy<<<====================================================>>>[URL / website] http://www.trendmicro.com/en/home/us/personal.htm[E-mail] pc-cillin@support.trendmicro.com[Knowledge Base] http://kb.trendmicro.com/solutions/Default.asp?[Contact us] http://www.trendmicro.com/en/support/contact.htm[Retail Products] 1 - 800 - 864 - 6027 (from 5am to 5pm PST)<<<====================================================>>>If you have any comments with our support, please contact:Retail_manager@support.trendmicro.comIf you would like to voice out some of your comments about Trend and herproducts, please contact: comments@support.trendmicro.com-----Original Message-----From: auri@auri.netSent: 10/29/2005 09:26:34 AMTo: "US Tech Support" <support@trendmicro.com>; <info@trendmicro.com>Subject: Update for the magic byte bugIs this being resolved in TM Internet Security 2005 please?Thanks again!Best,-Auri
viruses is more frequently considered the correct plural of virus.
You are correct. One of those "Strange but True" things
Quote from: Sidoh on November 03, 2005, 04:52:30 pmviruses is more frequently considered the correct plural of virus. You are correct. One of those "Strange but True" things
Quote from: iago on November 03, 2005, 07:42:28 pmYou are correct. One of those "Strange but True" things ( OFF TOPIC WARNING! O_O )Sneezes are 1/8th an orgasm.Haha, that was actually someone said in WoW when I was playing with ~15 other people. Obviously, one of the members was female because they said "I feel sorry for anyone who believes that." Haha.
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min[20:21:15] xar: that was funny
It's true: it's on the snapple caps.
Quote from: Quik on November 09, 2005, 06:31:15 pmIt's true: it's on the snapple caps.Haha, I wonder how they'd measure that. I'd wager that orgasms are more pleasureful from person to person.
Quote from: Sidoh on November 09, 2005, 10:32:51 pmQuote from: Quik on November 09, 2005, 06:31:15 pmIt's true: it's on the snapple caps.Haha, I wonder how they'd measure that. I'd wager that orgasms are more pleasureful from person to person.gender to gender*
Quote from: Blaze on November 09, 2005, 10:38:07 pmQuote from: Sidoh on November 09, 2005, 10:32:51 pmQuote from: Quik on November 09, 2005, 06:31:15 pmIt's true: it's on the snapple caps.Haha, I wonder how they'd measure that. I'd wager that orgasms are more pleasureful from person to person.gender to gender*People who are different genders also tend to be different people. It reminds me of the fact/legend that dolphins are the only creature (besides mean) that enjoys sex -- who asked them?
gender to gender*