|
Dear List, 3 month have passed since it has been reported that some AntiVirus engines have flaws in regards to scanning malformed ZIP archives. This is an update on the situation and hopefully a wake up call for some vendors. 3 month have passed and a few Anti-Virus engines _still_ are "vulnerable" to this flaw. They either fail to detect the EICAR string or Sober (worm) correctly in malformed ZIP archives. It should be noted the malformed ZIP Archives open up correctly using common ZIP tools. Original Advisory : ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/ 2005 AERAsec Network Services and Security GmbH - Dr. Peter Bieringer http://bipin.sosvulnerable.net/crc.html Several Other flaws in Regards to malformed ZIP Archives. My Anti-Virus Results from 15/03/2005 : http://seclists.org/lists/fulldisclosure/2005/Mar/0556.html Details as of 14/06/2005 ************************ Products tested using http://www.virustotal.com & http://virusscan.jotti.org/ : AntiVir 6.31.0.5 AVG 718 Avira 6.31.0.5 BitDefender 7.0 ClamAV devel-20050501 DrWeb 4.32b eTrust-Iris 7.1.194.0 eTrust-Vet 11.9.1.0 Fortinet 2.32.0.0 Ikarus 2.32 Kaspersky 4.0.2.24 McAfee 4513 NOD32v2 1.1139 Norman 5.70.10 Panda 8.02.00 Sybari 7.5.1314 Symantec 8.0 TheHacker 5.8-3.0 VBA32 3.10.3 ArcaVir Avast F-Prot Antivirus no-escape-sequences-in-filename-eicar.zip ------------------------------------------ Anti-Virus products which failed this test : Ikarus 2.32 updated on 06.14.2005 Symantec 8.0 updated on 06.13.2005 no-escape-sequences-in-filename-sober.l.zip ------------------------------------------ Failed : Ikarus 2.32 updated 06.14.2005 unfiltered-escape-sequences-in-filename-eicar.zip ------------------------------------------------- Failed : Symantec 8.0 TheHacker 5.8-3.0 Ikarus 2.32 unfiltered-escape-sequences-in-filename-sober.l.zip --------------------------------------------------- Failed : TheHacker 5.8-3.0 Ikarus 2.32 AVG (ONLY ON JOTTI, Test done multiple times) mixed2-eicar.zip AND mixed3-eicar.zip --------------------------------------------------- Failed: Symantec 8.0 TheHacker 5.8-3.0 Ikarus 2.32 mixed4-eicar.zip AND mixed-eicar-1.zip --------------------------------------------------- Failed: Ikarus 2.32 eicarcom2.zip --------------------------------------------------- No Failures. crc.zip (malformed CRC checksum) --------------------------------------------------- Failed : Symantec 8.0 NOD32 (ONLY ON JOTTI, Test done multiple times VirusTotal gives : incorrect CRC checksum, the file may be damaged) gpbf.zip (general purpose bit flag hack) --------------------------------------------------- Failed: F-Prot Antivirus Norman Virus Control (Jotti and VirusTotal) ArcaVir Symantec long_coment.zip (long archive comment) --------------------------------------------------- Failed : Avast AVG Antivirus Symantec 8.0 DrWeb (Failed on VirusTotal, successfull on Jotti) Antigen.zip (fake compressed size and uncompressed size values) --------------------------------------------------- Failed: AntiVir ArcaVir Avast BitDefender ClamAV Dr.Web Fortinet NOD32 Norman Virus Control VBA32 Sybari 7.5.1314 Symantec 8.0 TheHacker 5.8-3.0 VBA32 3.10.3 McAfee 4513 eTrust-Iris 7.1.194.0 eTrust-Vet 11.9.1.0 (It should be noted that in order to really use this flaw to hide malware the CRC value should be corrected AFTER changing the compressed and uncompressed sizes) eicar_com ♫?↔▲§ .com .zip ( test_nav.zip) ---------------------------------------------------- Failed: ClamAV F-Prot Antivirus Fortinet Norman Virus Control VirusTotal never managed to show the result for this file. Regards, Thierry Zoller mailto:Thierry@sniff-em.com