Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Antivirus programs and Exploits

from [Andrei Saygo] Network Security [Permanent Link]
Subject: Antivirus programs and Exploits
Date: Fri, 6 Oct 2006 11:01:27 +0300 (EEST) 
Antiviruses and Exploits
- case study -


Subject:
It's about exploits and how antiviruses can defend computers against them,
until a patch is released.

As an example I've selected CVE-2006-3730:
http://secunia.com/advisories/22159/
http://www.microsoft.com/technet/security/advisory/926043.mspx

I did a short study with the Proof of Concept (PoC) code that can be found
here:
http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html


Samples:
The original PoC html file and other 2 versions of it that were modified
by me.


Virus signatures:
The signatures that were available at 9:30AM GMT+2, 06 Oct. 2006


Antiviruses:
Since I've used only a few scanning engines, it won't be fair to mention
only some of them and I don't want to spoil your fun to discover if/how
your current AV detects the exploit.


How the test was made:

From the original html file, I've created another 2. One that was just a

little bit modified and  the other that had garbage functions/comments. I
didn't use a garbage generator, just what someone could write in ~30
seconds. After that I have verified if the exploit remains the same (with
OllyDbg v1.10) and if they could crash Internet Explorer
6.0.2900.21800.xp_sp2. They did!
Then I've scanned the folder that had those 3 files in it, with every
Antivirus that I had installed (freeware/trial versions) and compared the
results.


The result:
Some of the AV's did not even detect the original PoC code.
Others picked it up and even detected the one that had minor modifications.
Unfortunately none of the AV's that I've tested, detected the third file,
the one with
garbage functions/comments.

Conclusions:
Even if antiviruses are struggling to protect the users from different
kinds of exploits, they can assure only a minimal security until a patch
is released for the security flaw.
I will not discuss here what needs to be added in the antivirus engines in
order to recognize exploits, no matter of how the samples are modified,
because it?s not the purpose of this article.
The security of the systems can be increased by adding more filtering
layers that can detect modified variants of 0 day exploits, but even this
will not assure 100% protection. So the main idea is to use as many
security layers as possible in order to achieve a higher level of
security.


---
If there is someone interested for the modified samples, my e-mail address
is : asaygo@as.ro / andrei.saygo@gmail.com



----------------------------------------------------------------------------
ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CZWl
----------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Antivirus programs and Exploits, Andrei Saygo <=
Next by Date:  Virus, boonting
Next by Thread:  Virus, boonting
Indexes:  [Date] [Thread] [Top] [All Lists]