Robert, MW and class are right. This is a general problem of all sig-based AV systems. It has been covered on this list and many other places I am sure. You should report this to Sophos, but only because you were using Sophos in your test. To report it here as a Sophos vuln, isn't fair to Sophos IMHO. But that is just my 2 cents.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of [EMAIL PROTECTED] > Sent: Thursday, June 16, 2005 6:54 AM > To: [email protected]; [email protected] > Subject: [Full-disclosure] Sophos Antivirus Advisory > > = Advisory: Sophos doesn't recognize keylogger after string > alteration = > > During a Penetrationtest RedTeam found out that Sophos > Anti-Virus (SAV for short) won't recognize a keylogger as > malware, after alteration of a string in the keylogger's binary. > > == Details == > > Product: Sophos Anti-Virus > Affected Version: <= 5.0.2 > Immune Version: None known > OS affected: tested on Win2k, GNU/Linux, probably all supported by > Sophos > Security-Risk: medium > Remote-Exploit: no > Vendor-URL: http://www.sophos.com > Vendor-Status: informed > Advisory-URL: > http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt > -sa-2005-013 > Advisory-Status: published > > == Introduction == > > "Sophos Anti-Virus provides integrated virus detection on a > wide range of Windows platforms. Our award-winning technology > protects corporate servers, desktops and laptops from > viruses, Trojans, worms and malicious spyware." (from Vendor's page) > > SAV fails to recognize a keylogger binary after altering a > few bytes in a string contained in the program. > > > == More Details == > > During a Penetrationtest, RedTeam wanted to install a > keylogger on a victim's system. Klogger (written by Arne > Vidstrom, see [1]) was chosen because of its small size, > simplicity, and the ability to be executed from the command > prompt. Since we knew that SAV was running on the target > system, we did a test in our lab at RWTH-Aachen University. > This test revealed that SAV would recognize the Klogger > binary as malicious and raise alarm. > > In a simplistic attempt to confuse SAV, a few bytes in the > Klogger binary (there is no source code available) which > belonged to a string containing the author's name where > changed with a hex editor. To our astonishment this was > enough to foil SAV - no alarms where raised for the modified > binary. Apparently the only detection method deployed by SAV > for this binary was a hash comparison or something to the same effect. > > Tests with other antivirus programs showed that all of them > recognized the binary even after the string alteration. As > for SAV, additional tests with more popular malware showed > that for these, proper heuristics were used: it was not > enough just to change a few bytes with other malware binaries > we tested. > > This example shows impressively, how easy some virusscanners > can be bypassed. An attacker just has to spend less than one > minute to manipulate the keylogger to prevent SAV from > detecting the file. > > As keyloggers are more and more used by criminals like > phishers to get e.g. online-banking data, it is important > that protection software has robust detection mechanisms for > malware. Simple circumvention of protection mechanisms could > lead to a severe information leakage and compromise of the > user. It is not uncommon for malware code to be hex-edited by > the entities deploying them or even to change itself, thus > potentially circumventing SAV if this practice is used with > other malicicous code, too. > > [1] http://ntsecurity.nu/toolbox/klogger/ > > == Proof of Concept == > > Just download klogger and change some bytes. > > == Workaround == > > Never rely only on your antivirus program, regardless how good it is. > Those programs can only detect known malware with 100% certainty. > Unknown but also slightly modified malicious code is only > recognized using heuristics, which fail much too often. > Always use common sense and don't execute or even open files > you don't exactly know where they come from. > > == Fix == > > None known. > > > == Security Risk == > > As users should not rely only on their antivirus programs (as stated > above) in the first place, the security risk may be seen as medium. > > > == History == > > 14.04.2005 discovery of SAV's behaviour > 21.04.2005 additional tests with other programs > 10.05.2005 advisory is written > 03.06.2005 contacted Sophos. Answer: the attachement you > sent is clean. > Eh? Apparently, they sent the attached > pgp-signature to their > virus-lab... Asked for a security contact. Got back the > offer that if we send a file with a virus, they > can scan it. > Okaaaay, that was not the question, was it? Told them we > were short of viruses, sorry. Contact promised > to sent the mail to their headquarter in England. Never > heard from them again. > 16.06.2005 Advisory released > > == RedTeam == > > RedTeam is a penetration testing group working at the > Laboratory for Dependable Distributed Systems at RWTH-Aachen > University. You can find more Information on the RedTeam > Project at http://tsyklon.informatik.rwth-aachen.de/redteam/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
