Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

from [Andrey Bayora] Network Security [Permanent Link]
Subject: Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
Date: Wed, 26 Oct 2005 18:41:39 +0200 
Hi Andreas Marx,

It is ironic that now the AV programs implemented the "smart" file format
checking, but "forgot" about file extensions :)
I think, that "smart" file format checking must be complemented with the
"smart" file extension checking.

Regards,
Andrey Bayora.


----- Original Message ----- 
From: "Andreas Marx" <gega-it@web.de>
To: "Andrey Bayora" <andrey@securityelf.org>; <bugtraq@securityfocus.com>
Sent: Wednesday, October 26, 2005 12:50 PM
Subject: Re: Multiple Vendor Anti-Virus Software Detection Evasion
Vulnerability through




Hi!

Thanks, that's interesting to read. In 2000, I've found and suggested the

following in an article I've written for the Virus Bulletin magazine
<http://www.virusbtn.com> :


"[...] Some scanners do not actually scan all files even when set to "scan

all files" or when the mask "*.*" is used. Most of the time at least some
infected .BAT, .VBS and .COM files will be missed if they have non-standard
extensions. This happens when the scanner checks the file extension, not the
content, in order to scan solely for this kind of virus. It would be a good
idea for vendors to make a "smart" scan to find out the (hopefully) correct
file format. If there is more than one possibility (like ASCII text or a
.COM file), all possible supported formats should be scanned. [...]"


You can find this (Title: "The Usual Suspects ? Part 1", Dec 2000) and

more related articles here:

<http://www.av-test.org/sites/references_papers.php3?lang=en>

cheers,
Andreas Marx
CEO, AV-Test.org
<http://www.av-test.org>



Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

through

forged magic byte.



AUTHOR: Andrey Bayora (www.securityelf.org)



For more details, screenshots and examples please read my article "The

Magic

of magic byte" at www.securityelf.org . In addition, you will find a

sample

"triple headed" program which has 3 different 'execution entry points',
depending on the extension of the file (exe, html or eml) - just change

the

extension and the SAME file will be executed by (at least) THREE

DIFFERENT

programs! (thanks to contributing author Wayne Langlois from
www.diamondcs.com.au).


______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MDKSA-2005:197 - Updated unzip packages fix suid, permissions vulnerabilities., Mandriva Security Team
Next by Date:  MDKSA-2005:186-1 - Updated lynx packages fix remote buffer overflow, Mandriva Security Team
Previous by Thread:  Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through, Andreas Marx
Next by Thread:  Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through, mgotts
Indexes:  [Date] [Thread] [Top] [All Lists]