Re: eSafe: Could this be exploited?
Hugo van der Kooij wrote:
> I had a bit of a chat with Aladdin support regarding the odd results I had
> with their network virusscanner (aka: eSafe). (see also:
> http://www.ealaddin.com/esafe/default.asp)
>
> Both as NitroEngine or CVP server they will push as much of 80% to the
> end-user before they stop a virus. ...
This is the common (and obvious as soon as you decide to try to
implement something like this) "how do we keep the client from timing
out" problem? After all, unlike SMTP with its inherently "store and
forward" mechanisms introducing several natural "pauses" during the
transport of content, HTTP (like most other Internet protocols) is
considerably more "real time"...
Another approach to solving this problem involves the use of some kind
of agent at the client end. Of course, that requires a greater degree
of management and reduces the utility of the scanning service to those
machines that are running the agent and otherwise properly
configured...
> ... Then they rely on the adding of the
> exact URL so that URL can be blocked in all next requests.
>
> If it is a first time hit you can get as much as 80% of the payload on
> your machine and while they may reset the tcp stream at least IE does
> store the 80% chunk as if the file was transfered correctly. (This part I
> tested with over 30 different virus files.)
>
> First off this is extremely confusing to the user who just thinks (s)he
> just had a virus passing their scanner. (And they are about 80% right.)
>
> Then the chunk may contain enough to trigger another scanner which may
> reside on the desktop of said user adding further to the belief this is
> not a good product.
>
> But what if I were to write a really small harmfull virus (say less then 2
> ethernet packets)? Or create it in such way that the last 20 to 25% is
> expendible without loosing it's sting?
>
> Is someone able to verify such a virus may work? (I am not a programmer so
> I can think of the potential breach but I can't verify it is exploitable.)
In the Windows malware world there are some very small downloaders --
Windows executables around the 4-5KB size range (and a few even
smaller).
Also, there are several quite widespread viruses that pad their .EXE
files out with random amounts of random junk. The Windows PE loader
simply ignores additional "junk" on the end of a file ("extra" as
judged by what the PE headers say should be there). Whether any of
these use as much as 20-25% padding I'm not sure (but suspect _not_) --
for now it seems that this technique is used because the virus writers
seem to believe they'll bypass some useful proportion of content
blocking gateways because the attachments of these viruses do not have
constant CRC/MD5/etc (any gateway that is fooled by such a simple trick
really should not be in production, so I guess there are probably only
a few thousand such gateways out there...).
> I have a felling it is just a matter of time before such a scanner will be
> bypassed.
All scanners will always be (able to be) bypassed by something. When
you look at all the tricks the malware writers can use and that a
scanner has to work around, you quickly realize that scanning is
inherently inefficient. To beat this the scanner developers implement
all kinds of heuristics and shortcuts and imperfect "optimizations" to
get performance back to acceptable levels. Each scanner is chock full
of tons of really, really fugly stuff you'd have kittens over if you
knew. The reason the scanner developers "get away with it" is because
each does it differently -- the fuglies in NAV are mostly entirely
different fuglies from those in the McAfee products which in turn are
entirely different from those in all the other products. (BTW, this is
the primary reason why MS entering the AV market -- at least with an
"integrated" or "built-in" virus scanner -- is a chronically stupid
idea as then one set of AV stupidities will be really, really
widespread and common, so researching and targeting just those
weaknesses will be especially worthwhile for the VXers. And, if that
happens, MS will have to remove more and more of the shortcuts in its
scanner, making it slower and slower and slower...)
So, all scanners are bypassable, but this seems a rather obvious bypass
for this general approach to "web scanning".
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854