Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-disclosure] Re: Av issues
From: bipin gautam (visitbipinyahoo.com)
Date: Wed Mar 16 2005 - 09:00:33 CST
There have been lot of noise and confusion regarding
all the issues reported lately... So, let me sum them
Multiple Vendor Antivirus Products Malformed ZIP
Attachment Scan Evasion Vulnerability
( Updated March 16, 2005 6:00 GMT )
For the time being, set filter rules in your AV/email
gateway to filter out archive embedded with
executables (exe, com, pif, scr, cpl etc) Block all
type of broken archive and archive with passwds in it.
1). If you create a zip archive with invalid CRC
checksum...... some AV skip the archive marking it as
clean........ by this way, you can bypass antivirus
gateways and slip in any attachment without scanning
the archive. Moreover, these days.... software tools
automatically repair a *broken* archive.
2). In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f ie: "\" some AV skip the file marking it as
clean, because the AV come to a false assumption that
zip file is encrypted. This was discovered during the
analysis of "Multiple AV Vendor Incorrect CRC32 Bypass
3). If you have a long archive comment... in a zip
archive these AV can't detect virus embedded in it. I
came to know Symantec 8.1 is immune to the bug?
4). In the 'local file header" & "data descriptor" if
you change the compressed size and uncompressed size
to greater than the actual file size there are many AV
that can't scan the file properly.
Moreover there are unzip utilities that goes to a loop
if the file size is changed to ffffffff ! Lets hope,
less popular AV/Trojan scanner out there don't have
such faulty code!
Unzip utilities will successfully extract such archive
with some garbage data \x00 at the end "255 bytes.
(FORGE the crc right, first) The garbage data doesn't
*that matter because any malicious code can execute
without any problem with the garbage at its end. This
will successfully bypass AV detection even for a known
malicious code, "MOST OF THE TIME" if the AV detects
the "SOME" executable comparing total its checksum
instead of analyzing a particular chunk of code in the
code's body. I think its true for some of those old
little (few bytes) viruses. But, modern AV engines in
most cases don't depend on such primitive technique to
detect a virus so it shouldn't be a "that" big issue.
5). Another 5'th issues... and I'm feeling lazy to
type/describe it now. have a look at,
...contains a self extracting archive that will
extract the POC named
*.eicar.zip It is better to extract the it from the
exe archive as there are some AV out there that can't
even scan a infected file embedded in a self
extracting zip archive! (O;
Name of vulnerable products were gathered from
feedbacks of the Full-disclosure Mailing list and some
private discussion with others and is believed to be
true. You can run the file through
www.virustotal.com , or http://virusscan.jotti.org/
or http://sandbox.norman.no/live_4.html and you'll
know what I'm talking about . Though I understand,
they might be using the CLI engine in most cases (if
not all) while there are other functionalities in a
full AV package that are not in the CLI-based engine.
Thanks, "Pedro Bustamante" for reminding me out.
Another interesting link, is
Dr. Peter Bieringer's advisory.
Disclaimer: The information in the advisory is
believed to be accurate at the time of printing based
on currently available information. Use of the
information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information.
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://www.secunia.com/