Re: when will AV vendors fix this???

To: bugtraq@xxxxxxxxxxxxxxxxx, Bipin Gautam <gautam.bipin@xxxxxxxxx>
Subject: Re: when will AV vendors fix this???
From: Andreas Marx <gega-it@xxxxxx>
Date: Mon, 14 Aug 2006 20:21:31 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://freemail.web.de/
Reveived: from web.de by fmmailgate04.web.de (Postfix) with SMTP id E5CC1148C98; Mon, 14 Aug 2006 20:21:31 +0200 (CEST)

At 22:35 07.08.2006, Paul Schmehl wrote:

[...]
> This is similar to the problem of alternative data streams. Essentially, the 
> work needed to solve this problem isn't worth the expenditure of time and 
> effort, because the file, in order to infect the system, has to be executed.  
> Once the file is executed "normal" on-access scanning will catch the exploit 
> *if* it is known.  (If it's unknown, it doesn't matter anyway.)  Yes, 
> on-demand scanning won't "see" the file, but even malicious files are benign 
> until they are run.
[...]

No, that's not the case. On-Access scanner *might* be able to catch the malware 
(if it's a known variant), but it could be that the scanner is missing the 
file, depending on it's implementation. The same applies to the On-Demand 
scanner: it might or might not detect it, even if the *known* malware can still 
run on a system, as many tricks exists to get the file executed. Here are two 
articles showing this with ADS, including some test results:

Dangers from the Twilight Zone | Alternate Data Streams can still be hiding 
places for malware
Microsoft's NTFS file system supports Alternate Data Streams to store 
additional information about a file. Malware can lurk in such streams. 
Nonetheless, a year and a half after the first ADS test of 18 virus scanners 
still not all of them reliably detect malware in ADS. [...]
<http://www.heise-security.co.uk/articles/74892>

Gefahr aus der Schattenwelt, Teil 2 | Alternate Data Streams als Versteck für 
Schädlinge
Microsofts NTFS-Dateisystem unterstützt Alternate Data Streams, um zusätzliche 
Informationen zu einer Datei zu speichern. Auch Schädlinge können sich in 
solchen Streams verstecken. Anderthalb Jahre nach dem ersten ADS-Test von 18 
Virenscannern erkennen aber immer noch nicht alle Produkte Malware in ADS 
zuverlässig.
<http://www.heise.de/security/artikel/74641>

cheers,
Andreas Marx
CEO, AV-Test.org

<http://www.av-test.org>

______________________________________________________________________
XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!            
Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130

Follow-Ups:
- Re: [Full-disclosure] Re: when will AV vendors fix this???
  - From: Paul Schmehl

Prev by Date: Mambo jim Component Remote Include Vulnerability
Next by Date: Re: [Full-disclosure] RE: when will AV vendors fix this???
Previous by thread: Re: when will AV vendors fix this???
Next by thread: Re: [Full-disclosure] Re: when will AV vendors fix this???
Index(es):
- Date
- Thread