[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.
- From: Michel <kareldjag@xxxxxxxx>
- Date: Thu, 2 Feb 2012 21:27:13 +0000 (GMT)
hello,
Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.
DESCRIPTION
.kz is a proprietary archive format from an Asian editor KuaiZip:
http://www.kuaizip.com/en/index.html
This format, similar to lzma, is recent and very rare format type (not
supported yet by most common archivers).
By creating a .kz file archive a remote attacker could send a malicious payload
within this compressed archive to bypass/evade antivirus protection.
The succesful exploitation of this flaw allows attackers to plant a malicious
file on a server or to store unwanted codes (DDOS tools, keyloguers, rootkit
etc) on the intranet or any private network without being detected by the
antivirus solution.
The vulnerability concerns the incapacity of the scanner engine to inspect the
code within the KuaiZip archive.
Consequently, there is no possibility for the antivirus to detect any malicious
file or payload on any environment: locally/client side, Mail gateway, web
mail, cloud scan etc.
IMPACT AND LIMITATIONS:
As scanners engines do not support this new archive format, and as most
antivirus are affected, the impact is a high.
As .kz format is currently only supported by KuaiZip archiver, and as most
antivirus will detect the malicious known code once extracted from the archive,
therefore the risk of infection is limited.
AFFECTED ANTIVIRUS:
currently most of them! including Norton, Kaspersky, Nod32/Eset, McAfee,
Avira...
TESTS AND PoC:
Scans of 2 files on various online multiple antivirus scanners services like
Virustotal and Virscan.
Jotti with hackerdefender rootkit: all scanners bypassed (French interface:
"Rien trouvé" means "Nothing found" ):
Scanners
[ArcaVir]
2012-02-02 Rien trouvé
[Frisk F-Prot Antivirus]
2012-02-01 Rien trouvé
[Avast! antivirus]
2012-02-02 Rien trouvé
[F-Secure Anti-Virus]
2012-02-02 Rien trouvé
[Grisoft AVG Anti-Virus]
2012-02-02 Rien trouvé
[G DATA]
2012-02-02 Rien trouvé
[Avira AntiVir]
2012-02-02 Rien trouvé
[Ikarus]
2012-02-02 Rien trouvé
[Softwin BitDefender]
2012-02-02 Rien trouvé
[Kaspersky Anti-Virus]
2012-02-02 Rien trouvé
[ClamAV]
2012-02-02 Rien trouvé
[Panda Antivirus]
2012-02-02 Rien trouvé
[CPsecure]
2012-02-02 Rien trouvé
[Quick Heal]
2012-02-02 Rien trouvé
[Dr.Web]
2012-02-02 Rien trouvé
[Sophos]
2012-02-02 Rien trouvé
[Emsisoft Anti-Malware]
2012-02-02 Rien trouvé
[VirusBlokAda VBA32]
2012-02-02 Rien trouvé
[ESET]
2012-02-02 Rien trouvé
[VirusBuster]
2012-02-02 Rien trouvé
http://r.virscan.org/report/dda3f262c01ceb38e08cb67f3109abcd.html
http://r.virscan.org/report/6614b0d24738fe1f0b87e4d26588e9aa.html
https://www.virustotal.com/file/87b99979701e12e5a349a8875e145bbf46157272a07dde149ddbd0d0c347746c/analysis/1328206676/
http://virusscan.jotti.org/fr/scanresult/20295e6bca35855fbac9ffb3490d234787e2d773
http://virusscan.jotti.org/fr/scanresult/ac117935136f362f6167bf6f14b1fe3dba7bfe12
Local scan on 3 different PC with 3 different installed antivirus (latest
version):
Kaspersky antivirus 2012, Avira free, Avast free: all vulnerable.
The two files are two .kz archives: an eicar test file for the first one
(eicar.com) and HackerDefender rootkit for the second one.
A package of the test files and local scans screenshots can be found here
(click on "telecharger ce fichier"):
http://dl.free.fr/kAPjT6Gs4
NB: It's a .kz archive :) to prevent your antivirus to download the file!
KuaiZip required for extraction!
VENDORS RESPONSE:
Currently only 2 vendors have been contacted: Kaspersky and FSB labs, mostly
because their developpers are in mail contacts.
kareldjag(dog)yahoo.fr
Regards
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/