[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through for
From:       Bipin Gautam <gautam.bipin () gmail ! com>
Date:       2005-10-28 12:05:42
Message-ID: 8e5ffb560510280447ub0388dcv61a89b73d6c4a4ac () mail ! gmail ! com
[Download RAW message or body]

> Consequently, the issue that you describe is *not* a> vulnerability issue, but \
> rather just an example of a new variant> that has not yet been added to an AV \
> vendor's database of "known> viruses".>
yap, maybe* but i consider this issue equv. to the 'classic issue' ofadding NOP to \
the shell-code to bypass IDS/IPS You ain't gonna addevery possible combinations as \
signatures!

> Instead of beahviour analysis, most AV vendors choose uterly stupid>PE section \
> fingerprints, defeated by adding a few bytes. Go figure. of>course this is no \
> vulnerability, it's a feature!
Is, CA eTrust Antivirus, run in Reviewer mode by default?(sorry, i haven't tryed ant \
                Av lately)
------------->My theory on this is simple :>- ALL files can't be analysed the same \
way by>AV engines (due to speed issues) (In other>words not all analysis/fingerpritns \
is applied to>every file)
> The solution was to make the engines a bit "smarter", i.e analyse the>header to \
> determine the type and then ONLY apply the signatures/heuristics>which apply to the \
> type of the file (i am not speaking about the extension>of the file here) thus \
> speeding up the process. Changing the header>just makes the smart engines \
> look...well...  a bit dumb in my regards.------

> The AV vendors aren't going to patch their products if they>don't detect your PoC; \
> they're just going to write a new>signature or modify an existing signature to \
> detect your>new variants.  The fact that it can and will be fixed by>AV signatures \
> instead of product patches should help you>figure out if this is a product \
> vulnerability issue or just>a "new virus variant" issue.-------------
Variant huh?
	My defination of variant are bit straight forward. And sure isn't a'universal trick' \
that can be used to modified any maliciousexecutable (which has known Av signature)  \
by a 8 year old with 0programming knowledge or by using any special tools to make \
itun-detectable, later. Admit it... Av vendors aren't going todoyuble/tripple their \
Av defination to detect all of such possiblevarient.Common, is the execution point of \
ANY instruction code or program flowis being changed?
> There are two types of people in the world:  those who>complain about problems, and \
> those who find solutions to>problems.  Where's your superior AV scanner?
Lastly, yap I also feel there are 2 type of ppl. in the world. One whogives answers \
to a question and the other who askz another anotherquestion AS the answer of the \
previous question.

-best regards,Bipin Gautam
Zeroth law of security: The possibility of poking a system from lowerprivilege is \
zero unless & until there is possibility of direct,indirect or consequential \
communication between the two...


[prev in list] [next in list] [prev in thread] [next in thread]