<<< Date Index >>>     <<< Thread Index >>>

Re: when will AV vendors fix this???



Bipin Gautam wrote:
hello list,

This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan
scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE
THAN 1 YEAR OLD stuff but i see no fix till now!!!!

lately i've ONLY tested it on the following AV & few other spyware
scanner & saw its still NOT fixed!

Kaspersky Anti-Virus 6.x (latest)
BitDefender 9 Professional Plus (latest)
NOD32 (latest)

OS tested: WINxp sp2

to keep things simple, let me give you a situation;

if there is a directory/file a EVIL_USER is willing to hide from
antivirus scanner all he has to do is fire up a command prompt & run
the command;

cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R


next time EVEN when the administrator starts the antivirus "system
scan" the TORJANED_FILE_OR_DIRECTORY_NAME   will be effectively
bypassed as the ownership of the directory is just of the user account
named; EVIL_USER and the antivirus "manual scan" is running just with
the privilage of ADMINISTRATOR

This is similar to the problem of alternative data streams. Essentially, the work needed to solve this problem isn't worth the expenditure of time and effort, because the file, in order to infect the system, has to be executed. Once the file is executed "normal" on-access scanning will catch the exploit *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see" the file, but even malicious files are benign until they are run.

--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature