You do know that anyone can create a new archive format that antiviruses will not detect... Right?
2012/2/2 Michel <kareld...@yahoo.fr> > hello, > > Multiple vendor antivirus .kz archive format evasion/bypass vulnerability. > > DESCRIPTION > .kz is a proprietary archive format from an Asian editor KuaiZip: > http://www.kuaizip.com/en/index.html > This format, similar to lzma, is recent and very rare format type (not > supported yet by most common archivers). > By creating a .kz file archive a remote attacker could send a malicious > payload within this compressed archive to bypass/evade antivirus protection. > The succesful exploitation of this flaw allows attackers to plant a > malicious file on a server or to store unwanted codes (DDOS tools, > keyloguers, rootkit etc) on the intranet or any private network without > being detected by the antivirus solution. > > The vulnerability concerns the incapacity of the scanner engine to inspect > the code within the KuaiZip archive. > Consequently, there is no possibility for the antivirus to detect any > malicious file or payload on any environment: locally/client side, Mail > gateway, web mail, cloud scan etc. > > IMPACT AND LIMITATIONS: > As scanners engines do not support this new archive format, and as most > antivirus are affected, the impact is a high. > As .kz format is currently only supported by KuaiZip archiver, and as most > antivirus will detect the malicious known code once extracted from the > archive, therefore the risk of infection is limited. > > > AFFECTED ANTIVIRUS: > currently most of them! including Norton, Kaspersky, Nod32/Eset, McAfee, > Avira... > > TESTS AND PoC: > > Scans of 2 files on various online multiple antivirus scanners services > like Virustotal and Virscan. > Jotti with hackerdefender rootkit: all scanners bypassed (French > interface: "Rien trouvé" means "Nothing found" ): > > Scanners > [ArcaVir] > 2012-02-02 Rien trouvé > [Frisk F-Prot Antivirus] > 2012-02-01 Rien trouvé > [Avast! antivirus] > 2012-02-02 Rien trouvé > [F-Secure Anti-Virus] > 2012-02-02 Rien trouvé > [Grisoft AVG Anti-Virus] > 2012-02-02 Rien trouvé > [G DATA] > 2012-02-02 Rien trouvé > [Avira AntiVir] > 2012-02-02 Rien trouvé > [Ikarus] > 2012-02-02 Rien trouvé > [Softwin BitDefender] > 2012-02-02 Rien trouvé > [Kaspersky Anti-Virus] > 2012-02-02 Rien trouvé > [ClamAV] > 2012-02-02 Rien trouvé > [Panda Antivirus] > 2012-02-02 Rien trouvé > [CPsecure] > 2012-02-02 Rien trouvé > [Quick Heal] > 2012-02-02 Rien trouvé > [Dr.Web] > 2012-02-02 Rien trouvé > [Sophos] > 2012-02-02 Rien trouvé > [Emsisoft Anti-Malware] > 2012-02-02 Rien trouvé > [VirusBlokAda VBA32] > 2012-02-02 Rien trouvé > [ESET] > 2012-02-02 Rien trouvé > [VirusBuster] > 2012-02-02 Rien trouvé > > http://r.virscan.org/report/dda3f262c01ceb38e08cb67f3109abcd.html > http://r.virscan.org/report/6614b0d24738fe1f0b87e4d26588e9aa.html > > https://www.virustotal.com/file/87b99979701e12e5a349a8875e145bbf46157272a07dde149ddbd0d0c347746c/analysis/1328206676/ > > http://virusscan.jotti.org/fr/scanresult/20295e6bca35855fbac9ffb3490d234787e2d773 > > http://virusscan.jotti.org/fr/scanresult/ac117935136f362f6167bf6f14b1fe3dba7bfe12 > > > Local scan on 3 different PC with 3 different installed antivirus (latest > version): > Kaspersky antivirus 2012, Avira free, Avast free: all vulnerable. > > The two files are two .kz archives: an eicar test file for the first one ( > eicar.com) and HackerDefender rootkit for the second one. > > A package of the test files and local scans screenshots can be found here > (click on "telecharger ce fichier"): > http://dl.free.fr/kAPjT6Gs4 > > NB: It's a .kz archive :) to prevent your antivirus to download the file! > KuaiZip required for extraction! > > > VENDORS RESPONSE: > > Currently only 2 vendors have been contacted: Kaspersky and FSB labs, > mostly because their developpers are in mail contacts. > kareldjag(dog)yahoo.fr > > > Regards > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/