[Full-disclosure] Re: when will AV vendors fix this???
At 22:35 07.08.2006, Paul Schmehl wrote: [...] > This is similar to the problem of alternative data streams. Essentially, the > work needed to solve this problem isn't worth the expenditure of time and > effort, because the file, in order to infect the system, has to be executed. > Once the file is executed "normal" on-access scanning will catch the exploit > *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, > on-demand scanning won't "see" the file, but even malicious files are benign > until they are run. [...] No, that's not the case. On-Access scanner *might* be able to catch the malware (if it's a known variant), but it could be that the scanner is missing the file, depending on it's implementation. The same applies to the On-Demand scanner: it might or might not detect it, even if the *known* malware can still run on a system, as many tricks exists to get the file executed. Here are two articles showing this with ADS, including some test results: Dangers from the Twilight Zone | Alternate Data Streams can still be hiding places for malware Microsoft's NTFS file system supports Alternate Data Streams to store additional information about a file. Malware can lurk in such streams. Nonetheless, a year and a half after the first ADS test of 18 virus scanners still not all of them reliably detect malware in ADS. [...] <http://www.heise-security.co.uk/articles/74892> Gefahr aus der Schattenwelt, Teil 2 | Alternate Data Streams als Versteck für Schädlinge Microsofts NTFS-Dateisystem unterstützt Alternate Data Streams, um zusätzliche Informationen zu einer Datei zu speichern. Auch Schädlinge können sich in solchen Streams verstecken. Anderthalb Jahre nach dem ersten ADS-Test von 18 Virenscannern erkennen aber immer noch nicht alle Produkte Malware in ADS zuverlässig. <http://www.heise.de/security/artikel/74641> cheers, Andreas Marx CEO, AV-Test.org <http://www.av-test.org> __ XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club! Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Multiple Vendor NTFS Data Stream Malware Stealth Technique
Hi, besides the fact that it is always a good idea to notify vendors which might be affected *in advance* before releasing information like this, it's indeed nothing new. You can find a more comprehensive review of AV products here: <http://www.heise.de/security/artikel/52139/2> This list should be updated anytime soon, to cover more products and also newer versions of these products. ADS can be a problem, due to this: <http://www.heise.de/security/artikel/52139/0> In short, you can hide an application in an ADS using this command: "type secret_tool.exe > c:\boot.ini:foo.exe" You can still execute it using the following syntax: "start c:\boot.ini:foo.exe" While some AV products might not be able to find this file during an on-demand virus scan, most will alert the user as soon as someone tries to start the file. It looks like that such hidden files can only be started when they are in the Windows PE EXE file format. I was not able to start VBS script files or the "Eicar test file" this way. This means, you might have hidden a working virus, but after your conversion, it was no longer working. When you copy & paste Loveletter.A (a VBS file) in a Word DOC file, do you think AV products should still flag this DOC file, even if it's no longer working (as it cannot be executed in such a format)...? cheers, Andreas Marx CEO, AV-Test GmbH http://www.av-test.org __ XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club! Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cross Reference List of Virus and Worm Names available
Hello! Every vendor of anti-virus software has a different naming convention and even the same virus or worm could have a completely different name in a product of another company. To reduce the current number of problems, we have created a cross-reference list of all virus names, based on the WildList 06/2005. You can find the Excel sheet here (106 KB ZIP): <http://www.av-test.org> The WildList 06/2005 can be found here: <http://www.wildlist.org/WildList/200506.htm> A couple of products haven't found all viruses and worms. In this case, you'll see a "-" for a non-detected sample. For example, ClamAV missed 92 out of the 679 tested malware files (that's only an 86% WildList detection rate). cheers, Andreas Marx CEO, AV-Test.org http://www.av-test.org _ Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AV Reaction Times of the latest MS05-039-based Worm Attacks
Hello! You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at <http://www.av-test.org>. Furthermore we have checked how many AV products havn't required an update in order to deal with these threats. We have covered the following worms and variants: - Win32/Bozari.A (10 outbreak reports) - Win32/Bozari.B (1 outbreak report) - Win32/Drudgebot.B (3 outbreak reports) - Win32/IRCBot!Var (2 outbreak reports) - Win32/Zotob.A (4 outbreak reports) - Win32/Zotob.B (3 outbreak reports) We used the following rules for the formatting (XLS sheet): - Italic font = proactive/heuristic detection (in general: a detection without updates) - Bold font = first detection (first name) of the worm - Normal font = subsequent names used for the worm (e.g. second name, third name...) Two magazine reviews have been published which are based on this data: - PC Magazine - heuristic test results: <http://www.pcmag.com/article2/0,1895,1850847,00.asp> - PC WELT (Germany) - response times: <http://www.pcwelt.de/news/sicherheit/118264/index.html> Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management. :-) cheers, Andreas Marx CEO, AV-Test.org http://www.av-test.org _ Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Secunia Research: HAURI Anti-Virus Compressed Archive Directory Traversal
Hi! I'm sorry, but you were not the first one who noticed this kind of problem. :-) I've discovered the same type of problems much earlier and reported it to the vendor several times. However, Hauri *never* responded to our inqueries. When I was calling them, they at least acknowledged that they got my mails, but nothing has happened later. You can find more details about the issue the in the following article: "Durchleuchter - 16 Virenscanner für Windows", Andreas Marx & Axel Vahldiek, c't 01/2005, page 128pp. (10 pages) The tests for this article were performed in November and December 2004. There are a lot more vulnerabilities in this product, e.g. everyone can get Administrator rights on a "protected" PC very easily. A good number of the problems are described in the above article for the German c't magazine, too. BTW: It's interesting to see that you have tested *exactly* the same kind of archive files we've used in the c't review... cheers, Andreas Marx CEO, AV-Test.org http://www.av-test.org __ Erweitern Sie FreeMail zu einem noch leistungsstarkeren E-Mail-Postfach! Mehr Infos unter http://freemail.web.de/home/landingpad/?mc=021131 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/