<<< Date Index >>>     <<< Thread Index >>>

Anti-Virus Malformed ZIP Archives flaws [UPDATE]



Dear List,

3 month have passed since it has been reported that some AntiVirus
engines have flaws in regards to scanning malformed ZIP archives.
This is an update on the situation and hopefully a wake up call
for some vendors.

3 month have passed and a few Anti-Virus engines _still_ are
"vulnerable" to this flaw. They either fail to detect the EICAR
string or Sober (worm) correctly in malformed ZIP archives. It should be
noted the malformed ZIP Archives open up correctly using common
ZIP tools.

Original Advisory :
ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/
2005 AERAsec Network Services and Security GmbH - Dr. Peter Bieringer

http://bipin.sosvulnerable.net/crc.html
Several Other flaws in Regards to malformed ZIP Archives.

My Anti-Virus Results from 15/03/2005 :
http://seclists.org/lists/fulldisclosure/2005/Mar/0556.html


Details as of 14/06/2005
************************

Products tested using
http://www.virustotal.com & http://virusscan.jotti.org/ :

AntiVir         6.31.0.5
AVG             718
Avira           6.31.0.5
BitDefender     7.0
ClamAV          devel-20050501
DrWeb           4.32b
eTrust-Iris     7.1.194.0
eTrust-Vet      11.9.1.0
Fortinet        2.32.0.0
Ikarus          2.32
Kaspersky       4.0.2.24
McAfee          4513
NOD32v2         1.1139
Norman          5.70.10
Panda           8.02.00
Sybari          7.5.1314
Symantec        8.0
TheHacker       5.8-3.0
VBA32           3.10.3
ArcaVir
Avast
F-Prot Antivirus

no-escape-sequences-in-filename-eicar.zip
------------------------------------------
Anti-Virus products which failed this test :
Ikarus   2.32    updated on 06.14.2005
Symantec 8.0     updated on 06.13.2005

no-escape-sequences-in-filename-sober.l.zip
------------------------------------------
Failed :
Ikarus 2.32    updated 06.14.2005

unfiltered-escape-sequences-in-filename-eicar.zip
-------------------------------------------------
Failed :
Symantec        8.0
TheHacker       5.8-3.0
Ikarus          2.32

unfiltered-escape-sequences-in-filename-sober.l.zip
---------------------------------------------------
Failed :
TheHacker       5.8-3.0
Ikarus          2.32
AVG             (ONLY ON JOTTI, Test done multiple times)

mixed2-eicar.zip AND mixed3-eicar.zip
---------------------------------------------------
Failed:
Symantec        8.0
TheHacker       5.8-3.0
Ikarus          2.32

mixed4-eicar.zip AND mixed-eicar-1.zip
---------------------------------------------------
Failed:
Ikarus          2.32

eicarcom2.zip
---------------------------------------------------
No Failures.

crc.zip (malformed CRC checksum)
---------------------------------------------------
Failed :
Symantec        8.0
NOD32 (ONLY ON JOTTI, Test done multiple times
       VirusTotal gives : incorrect CRC checksum, the file may be
       damaged)

gpbf.zip (general purpose bit flag hack)
---------------------------------------------------
Failed:
F-Prot Antivirus
Norman Virus Control  (Jotti and VirusTotal)
ArcaVir
Symantec

long_coment.zip (long archive comment)
---------------------------------------------------
Failed :
Avast
AVG Antivirus
Symantec        8.0
DrWeb         (Failed on VirusTotal, successfull on Jotti)


Antigen.zip (fake compressed size and uncompressed size values)
---------------------------------------------------
Failed:
AntiVir
ArcaVir
Avast
BitDefender
ClamAV
Dr.Web
Fortinet
NOD32
Norman Virus Control
VBA32
Sybari             7.5.1314
Symantec           8.0
TheHacker          5.8-3.0
VBA32              3.10.3
McAfee             4513
eTrust-Iris        7.1.194.0
eTrust-Vet         11.9.1.0

(It should be noted that in order to really use this flaw to hide
malware the CRC value should be corrected AFTER changing the
compressed and uncompressed sizes)


eicar_com &#9835;?&#8596;&#9650;§ .com .zip ( test_nav.zip)
----------------------------------------------------
Failed:
ClamAV
F-Prot Antivirus
Fortinet
Norman Virus Control

VirusTotal never managed to show the result for this file.



Regards,
Thierry Zoller
mailto:Thierry@xxxxxxxxxxxx