RE: when will AV vendors fix this???

To: "'Bipin Gautam'" <gautam.bipin@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: when will AV vendors fix this???
From: "Thomas D." <whistl0r@xxxxxxxxxxxxxx>
Date: Mon, 7 Aug 2006 20:20:03 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:from:to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:in-reply-to:x-mimeole; b=cd0gzlm1X+suYroPtnM17z8S+kI5OeLLzfvCrVvECROvVjcyC9swy1B06HWqLdeC6ym9WvDhKr/Tb5XhcjhQEmFeJzpsL6/EpMS1ZKa5HnF6grskmvEMTjHaJdaPKDlzCmDCaDx+llnBGcQ6/IRzH1nKuNXFu1NbtICRetUAEFg=
In-reply-to: <8e5ffb560608050020u3b60d7d6peec1bd16e22d8e1b@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: Aca6SCw4mFRFuAUNT4qps5Ud4N8vdgABU7uA

> -----Original Message-----
> From: Bipin Gautam
> Sent: Saturday, August 05, 2006 9:21 AM
> Subject: when will AV vendors fix this???
> 
> to keep things simple, let me give you a situation;
> 
> if there is a directory/file a EVIL_USER is willing to hide from
> antivirus scanner all he has to do is fire up a command prompt & run
> the command;
> 
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
> 
> 
> next time EVEN when the administrator starts the antivirus "system
> scan" the TORJANED_FILE_OR_DIRECTORY_NAME   will be effectively
> bypassed as the ownership of the directory is just of the user account
> named; EVIL_USER and the antivirus "manual scan" is running just with
> the privilage of ADMINISTRATOR> 
> 
> by this way a malicious executable can remain hidden in the system
> BYPASSING THE SCAN even when the AV scanner is run by administrator!!!

But I cannot execute this file, becaus I have no access.
If I get access, the anti-virus program will also get access...

So I might be able hide something, but I can't do anything.

Also, to hide something, I have to bypass the autoprotection... You
shouldn't be able to do this...


-- 
Whistl0r

References:
- when will AV vendors fix this???
  - From: Bipin Gautam

Prev by Date: Re: when will AV vendors fix this???
Next by Date: Re: when will AV vendors fix this???
Previous by thread: Re: when will AV vendors fix this???
Next by thread: Re: when will AV vendors fix this???
Index(es):
- Date
- Thread