> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Todd Towles > Sent: Wednesday, 29 September 2004 7:26 a.m. > To: Mailing List - Full-Disclosure > Subject: FW: [Full-Disclosure] JPEG AV Detection > > What exactly are the AV products detecting in the JPEG exploits? Barry > and I was talking about how impressed we were that the AV companies > jumped on this one and detection was pretty fast. But is the detection > so generic that a variant will bypass? Is the detection based on a > original exploit that could be modified in a way that makes it > "undetectable" right now?
If they are any decent then they'll check for incorrect values in comment size fields. It's very easy to detect it since value has to be 0 or 1 in order to exploit the vulnerability. A little problem is that comment size field can be in any section of the JPEG, not just at the beginning (as in the original exploit), but I supposed that AV vendors caught this. Cheers, Bojan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
