[TZO-22-2009] Bitdefender generic evasion of heuristics (for PDF)
________________________________________________________________________
From the low-hanging-fruit-department
Bitdefender generic evasion of heuristics (for PDF)
________________________________________________________________________
CHEAP Plug :
************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************************************************************************
Release mode: Coordinated but limited disclosure.
Ref : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
WWW :
http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html
Vendor : http://www.bitdefender.com
Status : Patched (with sig update after 13.05.2009)
CVE : none provided
Credit : none
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 5 days
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Bitdefender Antivirus 2009
- Bitdefender Internet Security 2009
- Bitdefender Total Security 2009
- Bitdefender Small Office Security
- Bitdefender for Fileservers
- Bitdefender for Samba
- Bitdefender for Sharepoint
- Bitdefender Security for Exchange
- Bitdefender Security for Mailservers
- Bitdefender for ISA Servers
- Bitdefender Client security
Bundles:
- BitDefender Business Security
- Bitdefender Antivirus for Unices
- Bitdefender Corporate Security
- Bitdefender SBS Security
I. Background
~~~~~~~~~~~~~
Quote: "BitDefender™ provides security solutions to satisfy the protection
requirements
of today's computing environment, delivering effective threat management for
over 41 million home and corporate users in more than 100 countries.
BitDefender,
a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices
in
Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and
Fort Lauderdale (FL), USA."
II. Description
~~~~~~~~~~~~~~~
The heuristics can be bypassed by a special formatted PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a
bypass that relies on archive structures but relies on evading certain
code paths in the AV engine "through various means".
III. Impact
~~~~~~~~~~~
To know more about the impact and type of "evasion", I updated the
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Interestingly this opens the possibility to evade at scan time and
run-time.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
08/05/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.
13/05/2009 : Bitdefender notifies my that the patch was deployed.
[1]
Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost
reports.