|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Bypass Virus Checking under 95/98/NT
Subject: Re: Bypass Virus Checking under 95/98/NT
From: Eric Chien (echien
SYMANTEC.COM)
Date: Tue Dec 28 1999 - 03:03:34 CST
- Next message: WayneDiamondCS.com.au: "UDP 135 - Responding to "aa" ??"
- Previous message: Jason Deaton: "File Transfer security problem in pcAnywhere v8.0"
- Maybe in reply to: Undetermined origin c/o LISTSERV administrator: "Bypass Virus Checking under 95/98/NT"
- Maybe reply: Eric Chien: "Re: Bypass Virus Checking under 95/98/NT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
In some versions of NAV, the Recycled Bin is excluded by default. This can be
removed by selecting the menu Options | Exclusions. Otherwise, Norton AntiVirus
scans in the Recycle Bin.
If the reporter of the issue is still unable to detect files in the Recycle Bin,
please provide the exact details (version of NAV, definitions date, OS, etc.).
Perhaps, there is another configuration problem they are having.
This can be tested by using the EICAR Test String. Copy it to \RECYCLED or
\RECYCLER. Both the Real Time Scanner and the Manual Scanner should trigger.
Thanks,
Eric Chien
SARC
_______________________
Hi everyone,
A trojan can bypass virus checking on both Windows 95 and NT by placing
infected files into the \RECYCLED directory. Both Norton Anti-Virus and
McAfee VirusScan exclude the directory tree under this path. This is
where "Recycle Bin" files reside under Win95. WinNT "Recycle Bin" files
reside in "\RECYCLER".
I was able to create an exploit for this using a BO2K server, one of
those little games that are going around and a special "setup.exe"
program that I wrote for this purpose. I put all three in a WinZip self
extracting installer and customized it to look like a setup program for
the game in question. Also, I named by BO2K server "winsetup.dll" and
XORed it's bytes with a randomly chosen value. Not real encryption I
know, but enough to fool the virus checker into passing over it. So we
have a self-extracting installer that passes a virus check with flying
colors and looks real.
When it's executed, my setup program copies the game executable to the
desktop. Granted I could have put it in a directory and made a shortcut,
but this was proof of concept code. Then I check for the existence of
the "\RECYCLED" directory. If it doesn't exist I create it and make it
hidden. By default, and sadly enough, NT (SP5 for the test) allows a
normal user to do this. The setup program then "decrypts" the BO2K
server, writing it into the "\RECYCLED" directory and thereby bypassing
the on-access virus checker. The BO2K server is executed and the setup
program exits. The BO2K server was configured to install itself into the
"..\..\RECYCLED" directory which again bypasses any checks. And there
you have it, a trojan that nicely bypasses the commercial virus checkers
installed on most systems. It also bypasses any perimeter e-mail and
firewall CVS checkers. As a side note, the BO2K server does not show up
in the Recycle Bin and survives a "Empty Bin" request.
If I were really nasty I would have created my setup program and
masqueraded it as the game itself, embedding any needed files in the
body of the executable. It would appear as though it were just the stand
alone game and not have the tip off of the installer.
A workaround? Under VirusScan you could remove "\RECYCLED" from the
exclusion list. I did that and it didn't cause any immediate problems,
but I'd like to be optimistic and think the directory is excluded for
some sort of good reason. As opposed to not wanting to deal with the
Recycle Bin's index file, or that, heaven forbid, Microsoft told them to
stay out of there. Do it at your own risk in any event. Under Norton
Anti-Virus, the exclusion for "\RECYCLED" is hidden and cannot be easily
changed as far as I can tell. Hex editor anyone?
So everyone knows I've forwarded a copy of this mail and the exploit to
CERT, AVERT, and SARC. I'm not planning on releasing my exploit. The
code is super trivial and my description should be more than enough for
testing. Lastly, I'd like to acknowledge the efforts of Richard
Chadderton in helping to get exploit done on time. Thanks Richard!
Best Regards,
Neil Bortnak
Attachment Converted: "d:\eudora\attach\smime4.p7s"
- Next message: WayneDiamondCS.com.au: "UDP 135 - Responding to "aa" ??"
- Previous message: Jason Deaton: "File Transfer security problem in pcAnywhere v8.0"
- Maybe in reply to: Undetermined origin c/o LISTSERV administrator: "Bypass Virus Checking under 95/98/NT"
- Maybe reply: Eric Chien: "Re: Bypass Virus Checking under 95/98/NT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Wed Dec 29 1999 - 08:14:22 CST