Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug
Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug.
Affected Product (Only tested on...):
Mcafee Virus Scan professional (8.0.0.12)
Norton Antivirus 2003
Kaspersky 4.5x
Ad-Aware (6.0.1.181)
The Cleaner
Risk Level: Medium
Description:
------------
A malicious code can reside in a computer (with users privilege) bypassing
"manual scans" of any Antivirus, Trojan & Spy ware scanners by simply issuing
this command to itself.
cacls.exe hUNT.exe /T /C /P dumb_user:R
If "only execute" permission is set some AV auto-protect engine will also fail
t stop a malicious code execution....By this way... any software?s with even
Admin. privilege can't access this file (hUNT.exe) normally because the only
person who has normal access to this file is "dumb_user"
If the scanner is unable to access the file that is under the security content
of "dumb_user"... the auto-protect engine will also fail to stop a malicious
code from executing. Mostly, a user's HOME directory *only accessible* by the
by the particular user... cauz mostly* permission is set in a way he/she is
only the owner of that directory. In that case, if a malicious code gets copied
in desktop (inside home directory, or the directory that's only* accessible by
the user) the auto-protect engine will also fail to stop a malicious code
execution.
3APA3A (3APA3A[at]SECURITY.NNOV.RU] pointed out another interesting issue...
You still can bypass antiviral protection for manual scans with file encryption
(on-access scanners may impersonate accessing user). This time file can only be
scanned by administrator if administrator is recovery agent.
In manual scan... the scanner runs under the security content of Administrator
who is responsible for scanning the system.... hence the virus goes unnoticed
due to NTFS file permission restriction. But, if the Auto-Protect engine loads
as a kernel driver, the virus gets stopped in the way during execution. But
many trojan, spyware scanner just run with the Administrative privilege, so its
a ISSUE for all those products.
Please follow the procedure & confirm if other antivirus products are
vulnerable as well.
No wonder, there are several false assumptions in windows security
configuration as well, when a JOE administrator could permanently lock himself
up in his own machine.
regards,
Bipin Gautam
http://www.geocities.com/visitbipin/
Disclaimer: The information in the advisory is believed to be accurate at the
time of printing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential loss
or damage arising from use of, or reliance on this information.