[ISN] Evasion bug bites virus shields

From: InfoSec News (isn@private)
Date: Mon Oct 31 2005 - 22:05:52 PST


http://news.com.com/Evasion+bug+bites+virus+shields/2100-1002_3-5924738.html

By Joris Evers 
Staff Writer, CNET News.com
October 31, 2005 

A flaw in several virus scanners could let a malicious file evade
detection, a security researcher has warned. But some in the industry
dispute that it's a bug.

By adding some data to a file, an attacker could trick virus scanners
into letting a malicious executable file pass through, security
researcher Andrey Bayora wrote in an advisory [1]. The problem lies in
the scanning engine, which won't detect files that have the extra
data.  Bayora refers to that extra data as the "Magic Byte."

The problem affects numerous antivirus products, including software
from Trend Micro, McAfee, Computer Associates and Kaspersky Lab,
according to Bayora, who works as a computer security consultant in
Israel. His advisory also lists several products that are not
affected, including software from Symantec, F-Secure and BitDefender.

"This is one of the most significant antivirus vulnerabilities of
recent times as it affects the majority of scanner software," Bayora
wrote in an article on his Web site that details the issue [2].

Bayora originally disclosed details of the flaw on Oct. 24. Since
then, the topic has been the topic of lively discussions on the
popular Full Disclosure mailing list.

The issue is further evidence that researchers are increasingly
looking for holes in security products [3]. Protective technology is
commonly installed on PCs, servers, network gateways and mobile
devices. As security software becomes more widespread, it becomes a
more attractive target to cybercriminals [4], experts have said.

But in this case, what Bayora calls out as a vulnerability in virus
scanning engines, some in the industry see as inherent to
signature-based protection of antivirus software.

"It's not a real security vulnerability, as this is the way antivirus
scanners work: If someone creates a new malware, the antivirus
industry will create a new signature for it," said Andreas Marx, an
antivirus software expert at the University of Magdeburg in Germany.  
"This way always leaves a detection and protection gap."

The signatures in antivirus software are like a dictionary of known
viruses. The virus-scanning process looks for matches against that
dictionary. If a new threat is found, a signature is added.

Bayora actually created a variant of a virus, said Ken Williams, a
representative of Computer Associates. "Modifying a virus to the point
where it is no longer detectable does not qualify as a vulnerability.
Most viruses are modified in this way over time on a regular basis,
and CA treats this as a new virus variant," he said in a statement.

But Kaspersky and Trend Micro do see the Magic Byte issue as a
software flaw and are offering updates to fix it.

"A patch for affected products is currently being tested and should be
available within a week," Kaspersky said in a notice on its Web site.  
Trend Micro has addressed the "potential vulnerability" in the latest
version of its virus pattern files, a representative said in an
e-mailed statement.

According to Trend Micro, the problem in its product is limited to one
specific type of potential virus file that typically would be blocked
in most enterprises e-mail systems and would need to be executed
manually. Bayora in a posting to a security mailing list identified
that file type as a batch, or .bat, file.

McAfee did not respond to requests seeking comment for this story.

[1] http://www.securityelf.org/magicbyteadv.html
[2] http://www.securityelf.org/magicbyte.html
[3] http://news.com.com/Antivirus+insecurity+at+Black+Hat+confab/2100-7355_3-5805750.html
[4] http://news.com.com/Security+tools+face+increased+attack/2100-1002_3-5754773.html



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Oct 31 2005 - 22:12:59 PST