Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

from [Williams, James K] Network Security [Permanent Link]
Subject: Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
Date: Thu, 27 Oct 2005 04:03:54 -0400 


Subject: Re: Multiple Vendor Anti-Virus Software Detection 
Evasion Vulnerability through forged magic byte
From: "Andrey Bayora" <andrey () securityelf ! org>
Date: 2005-10-25 3:07:51

[...]

VULNERABLE vendors and software (tested):

[...]

3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)

[...]
DESCRIPTION:

The problem exists in the scanning engine - in the routine that
determines the file type. If some file types (file types tested
are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the 
EXE files (MZ) at the beginning, then many antivirus programs 
will be unable to detect the malicious file. It will break the 
normal flow of the antivirus scanning and many existent and 
future viruses will be undetected.


Andrey,

Thank you for the report.  

You are effectively altering existing viruses to the point that 
AV scanners do not detect them.  If your altered virus sample 
still executes correctly, you have simply created a new virus 
variant.  If your altered virus sample does not execute properly, 
you have created nothing more than a corrupt virus sample.

Consequently, the issue that you describe is *not* a 
vulnerability issue, but rather just an example of a new variant
that has not yet been added to an AV vendor's database of "known
viruses".

Note that CA eTrust Antivirus, when running in Reviewer mode, 
should already detect these new variants.

Regards,
Ken 
                                                           
Ken Williams ; Dir. Vuln Research 
Computer Associates ; 0xE2941985
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte, Williams, James K <=
Previous by Date:  Re: Mozilla Thunderbird SMTP down-negotiation weakness, Bob Beck
Next by Date:  Re: Mozilla Thunderbird SMTP down-negotiation weakness, Jason Haar
Previous by Thread:  Remote File Inclusion in vCard :), [AT]
Next by Thread:  Remote MySQL User on Cpanel Default installation with blank password, sup3r_linux
Indexes:  [Date] [Thread] [Top] [All Lists]