Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasi

from [Andrey Bayora] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
Date: Wed, 26 Oct 2005 02:10:50 +0200 
Hello Debasis,
Please see my inline comments below.
Thanks.

Regards,
Andrey


----- Original Message ----- 
From: "Debasis Mohanty" <mail@hackingspirits.com>
To: "'Andrey Bayora'" <andrey@securityelf.org>;
<full-disclosure@lists.grok.org.uk>
Cc: <bugtraq@securityfocus.com>
Sent: Tuesday, October 25, 2005 7:17 PM
Subject: RE: [Full-disclosure] Multiple Vendor Anti-Virus Software
DetectionEvasion

Vulnerability through forged magic byte


Hello Andrey,
Few comments on this -
Correct me if I am wrong, "forged magic byte" might not always be able to
fool the AV in real scenario


I tested this exploit with REAL viruses and REAL anti-virus programs (see my
whitepaper at http://www.securityelf.org/magicbyte.html). And you are
right - not ALL anti-virus programs are prone to this bug - only 12 vendors
that I found.


(especially EXEs) unless you are talking about
Static Virus scanners. In past few years the AV scanning technology has
improved a lot and has gone even beyond "heuristic scanning techniques".


"Static Virus scanners" -? There are list of 15 vulnerable anti-virus
programs in my advisory.




The problem exists in the scanning engine - in the routine that

determines the file type.

If some file types (file types tested are .BAT, .HTML and .EML) changed

to have the MAGIC BYTE

of the EXE files (MZ) at the beginning, then many antivirus programs

will

be unable to detect

the malicious file. It will break the normal flow of the antivirus

scanning and many existent

and future viruses will be undetected.


Especially in case of EXEs, AFAIK not all EXEs has the same 'MAGIC BYTE'
(MZ).


Just a second... I did not say this, the issue is *prepending magic byte of
one file type to another*. In my test - it was enough to prepend MZ to .BAT,
.HTML or .EML. to be UNDETECTABLE for many anti-virus programs.


MZ only appears in the first two bytes of Win32 executable files. Most
older file types such as original .com files, any Linux/Mac files, and
almost all scripting files do not contain MZ in the header. In fact the
EICAR test virus which can be represented as a .txt or a .com file is one
such file. It is a fully executable .com file that does not contain the MZ
bytes and still executes on Win32. This implies that the AV scan engine
doesn't just rely on the 'magic byte'. Changing the magic byte might fool
the static AV scanners and maybe some current Avs but this might not work

in

case of real Viruses. As the scan engine do a heuristic scan and doesn't
just rely upon the magic byte.


You are right, but... as far as I know; the AV has some FILTER that
determines file type BEFORE scanning. This FILTER is responsible for
minimizing the scan time of AV programs (like: if it is .EXE file, why check
virus definitions for VB or HTML viruses?).
Here is the bug - TO FOOL THE FILTER (which, I believe, is the part of the
engine)


I published a paper on similar topi
"Anti-Virus Evasion Techniques" almost a year back which talks about

various

evasion techniques. It can be downloaded from here :
http://hackingspirits.com/eth-hac/papers/whitepapers.asp


I read it, nice paper. About 4 month ago, I published a whitepaper "Software
Misuse: from
malicious actions to mind control." at
http://www.securityelf.org/whitepapers.html
where I describe using *commercial* software to create malware and avoid AV
detection by non-
technical means and malware that can ATTACK PEOPLE and influence their mind
through subliminal
messages...




As I haven't tested your finding on real viruses so can't say if at all I

am

wrong especially incase comments related to EXEs. However, in anycase if
this exploit works for real viruses then this will imply that heuristic

scan

is a Joke ;-). Although heuristics can be fooled by many advance

techniques

(eg - obfuscation / polymorphism) but if it is fooled by this technique

then

I believe there are lot of work waiting for Guys @ AV Schools ;-)


Maybe...:)




- Tr0y (www.hackingspirits.com)








-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Andrey
Bayora
Sent: Tuesday, October 25, 2005 8:38 AM
To: full-disclosure@lists.grok.org.uk
Cc: bugtraq@securityfocus.com
Subject: [Full-disclosure] Multiple Vendor Anti-Virus Software
DetectionEvasion Vulnerability through forged magic byte

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

through

forged magic byte.



AUTHOR: Andrey Bayora (www.securityelf.org)



For more details, screenshots and examples please read my article "The

Magic

of magic byte" at www.securityelf.org . In addition, you will find a

sample

"triple headed" program which has 3 different 'execution entry points',
depending on the extension of the file (exe, html or eml) - just change

the

extension and the SAME file will be executed by (at least) THREE DIFFERENT
programs! (thanks to contributing author Wayne Langlois from
www.diamondcs.com.au).

DATE: October 25, 2005



VULNERABLE vendors and software (tested):



1.  ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
2005-03-06, package ver 2005-06-21)

2.  AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)

3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)

4.  Dr.Web (v.4.32b, update 27.06.2005)

5.  F-Prot (ver. 3.16c, update 6/24/2005)

6.  Ikarus (latest demo version for DOS)

7.  Kaspersky (update 24 June, ver. 5.0.372)

8.  McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
engine 4.4.00, dat 4.0.4519 6/22/2005)

9.  McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521,
engine 4400)

10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)

11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern
2.701.00)

12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.00
6/23/2005)

13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)

14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)

15. Sophos 3.91 (engine 2.28.4, virData 3.91)



IMPORTANT NOTE:

Similar vulnerability may exist in many other antivirus\anti-spyware

desktop

and gateway products. In addition, various "file filter" solutions may be
affected as well.



NOT VULNERABLE vendors and software (tested):



1.  F-Secure (updates 24 June, ver 5.56 b.10450)

2.  Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)

3.  BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)

4.  ClamWin (ver. 0.86.1, upd 24 June 2005)

5.  NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)

6.  Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)

7.  Norton Internet Security 2005 (ver 11.5.6.14)

8.  VBA32 (ver 3.10.4, updates 27.06.2005)

9.  HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
6.31.0.109 6/24/2005)

10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)

11. Sophos 3.95 (engine 2.30.4)



SEVERITY: critical



DESCRIPTION:



The problem exists in the scanning engine - in the routine that determines
the file type. If some file types (file types tested are .BAT, .HTML and
.EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the

beginning,

then many antivirus programs will be unable to detect the malicious file.

It

will break the normal flow of the antivirus scanning and many existent and
future viruses will be undetected.



NOTE: In my test, I used the EXE headers (MZ), but it is possible to use
other headers (magic byte) that will lead to the same effect.



ANALYSIS:



Some file types like .bat, .html and .eml can be properly executed even if
they have some "unrelated" beginning. For example, in the case of .BAT

files

- it is possible to prepend some "junk" data at the beginning of the file
without altering correct execution of the batch file. In my tests, I used
the calc.exe headers (first 120 bytes - middle of the dosstub section) to
change 5 different files of existing viruses. In addition, the simplest

test

of this vulnerability is to prepend only the magic byte (MZ) to the

existing

malicious file and check if this file is detected by antivirus program.



NOTE, that this is NOT the case where the change of existing virus file
resulted in the "broken" detection signature (see details and the test

logic

in "The Magic of magic byte" article at www.securityelf.org).



WORKAROUND:

I did not found any effective one besides of patching the vulnerable

engine.




CREDITS:

The idea for this vulnerability came during discussions from Wayne

Langlois

at diamondcs.com.au, who hinted that JPEGs could probably be exploited in
this way.



TIME LINE:



July 13, 2005 - Initial vendor notification

July 16, 2005 - Second vendor notification

.....Waiting.....Waiting....

October 24, 2005 - Public disclosure (uncoordinated)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Possible Bug in PHP-Fusion 6.0.204, Paul
Next by Date:  Network Appliance iSCSI Authentication Bypass, advisories
Previous by Thread:  Mozilla Thunderbird SMTP down-negotiation weakness, Thomas Henlich
Next by Thread:  Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Bipin Gautam
Indexes:  [Date] [Thread] [Top] [All Lists]