Yep, sorry about that. Sophos isn't on VirusTotals list...anyone running it?
> -----Original Message----- > From: Cassidy Macfarlane [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 14, 2004 10:42 AM > To: Todd Towles; Andrey Bayora; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Bypass of Antivirus software > with GDI+ bug exploit Mutations > > Symantec Enterprise 8.1: > > Your attachment "JPEG.zip" contained viruses: > "Backdoor.Roxe" at location "1.jpg", > and "Bloodhound.Exploit.13" at location "2.jpg". > > -----Original Message----- > From: Todd Towles [mailto:[EMAIL PROTECTED] > Sent: 14 October 2004 14:10 > To: Andrey Bayora; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Bypass of Antivirus software > with GDI+ bug exploit Mutations > > > TrendMicro sees it as a MS04-028 exploit > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Andrey Bayora > > Sent: Thursday, October 14, 2004 2:46 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: [Full-Disclosure] Bypass of Antivirus software with > > GDI+ bug exploit Mutations > > > > Bypass of Antivirus software with GDI+ bug exploit Mutations. > > > > HiddenBit.org Security Advisory. > > > > Date: October 14, 2004 > > > > Author: Andrey Bayora > > > > > > BACKGROUND > > > > While performing research paper for SANS GCIH practice I have > > found this issue and it seems to me enough critical to warn > > readers about this. > > > > DESCRIPTION > > > > Most Antivirus software can't detect Mutations of GDI+ exploit. > > > > ANALYSIS > > > > 1) Most Antivirus vendors issues virus definitions for known > > exploit code [1] witch uses \xFF\xFE\x00\x01 string for > > buffer overflow. > > >From the Snort rule [2] you can learn that there are 7 > more variants > > to produce this buffer overflow in GDI+. > > > > So, by changing \xFE to one of this - \xE1, \xE2, \xED > > and\or by changing \x01 to \x00 this exploit will be > > UNDETECTED by many antiviruses (list attached). > > > > 2) While original exploit code use buffer overflow string > > near the BEGINNING of the image file (after \xFF\xE0 , > > \xFF\xEC and \xFF\xEE markers), I was able to create image > > with buffer overflow string at the MIDDLE of the file. > > > > 3) By combining various strings from methods described under > > 1) and 2) and by placing them in different locations in the > > image file I was able to bypass various antivirus products. > > > > > > FIX > > > > 1) Patch vulnerable systems. > > 2) If your antivirus didn't detect these variants - block > > JPEG (xFFD8). > > > > > > DEMO > > > > http://www.hiddenbit.org/demo_files/jpeg.zip > > > > 1) In the 1.jpg file the \xFE string was substituted to \xE1. > > WARNING ! THIS IS COMPILED PROOF OF CONCEPT > > FROM [1] THAT WILL CONNECT BACK TO > > VULNERABLE MACHINE TO 127.0.0.1 AT > > PORT 777 ( run: nc -l -p 777 ). > > 2) In the 2.jpg the buffer overflow string at offset x22F0 > > (string that begins with \xFF\xED). > > THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW. > > 3) This is results from [3] : > > For 1.jpg > > > > Results of a file scan > > This is the report of the scanning done over "1.jpg" (see > > Demo section) file that VirusTotal processed on 10/13/2004 at > > 18:54:56. > > Antivirus Version Update Result > > BitDefender 7.0 10.12.2004 - > > ClamWin devel-20040922 10.12.2004 - > > eTrust-Iris 7.1.194.0 10.13.2004 - > > F-Prot 3.15b 10.13.2004 - > > Kaspersky 4.0.2.24 10.13.2004 - > > McAfee 4398 10.13.2004 Exploit-MS04-028 > > NOD32v2 1.893 10.13.2004 - > > Norman 5.70.10 10.12.2004 - > > Panda 7.02.00 10.13.2004 - > > Sybari 7.5.1314 10.13.2004 - > > Symantec 8.0 10.12.2004 Backdoor.Roxe > > TrendMicro 7.000 10.12.2004 Exploit-MS04-028 > > > > For 2.jpg > > > > Results of a file scan > > This is the report of the scanning done over "2.jpg" file > > that VirusTotal processed on 10/13/2004 at 18:56:32. > > Antivirus Version Update Result > > BitDefender 7.0 10.12.2004 - > > ClamWin devel-20040922 10.12.2004 - > > eTrust-Iris 7.1.194.0 10.13.2004 - > > F-Prot 3.15b 10.13.2004 - > > Kaspersky 4.0.2.24 10.13.2004 - > > McAfee 4398 10.13.2004 Exploit-MS04-028 > > NOD32v2 1.893 10.13.2004 - > > Norman 5.70.10 10.12.2004 - > > Panda 7.02.00 10.13.2004 - > > Sybari 7.5.1314 10.13.2004 - > > Symantec 8.0 10.12.2004 Bloodhound.Exploit.13 > > TrendMicro 7.000 10.12.2004 Exploit-MS04-028 > > > > > > Only "The BIG 3" was able to detect those variants. > > > > More complete research will be published in my SANS GCIH paper. > > > > > > Reference : > > > > [1] www.k-otik.com > > [2] http://www.snort.org/snort-db/sid.html?sid=2705 > > [3] www.virustotal.com > > > > > > > > ********************************************************** > > HiddenBit.org is non-profit Israel security research team. > > > > > > > > -------------------------------------------------------------- > > Disclaimer > > > > The information within this advisory may change without > > notice. There are no warranties, implied or express, with > > regard to this information. > > In no event shall the author be liable for any direct or > > indirect damages whatever arising out or in connection with > > the use or spread of this information. Any use of this > > information is at the user's own risk. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
