[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.



You do know that anyone can create a new archive format that antiviruses
will not detect... Right?

2012/2/2 Michel <kareldjag@xxxxxxxx>

>  hello,
>
> Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.
>
> DESCRIPTION
> .kz is a proprietary archive format from an Asian editor KuaiZip:
> http://www.kuaizip.com/en/index.html
> This format, similar to lzma, is recent and very rare format type (not
> supported yet by most common archivers).
> By creating a .kz file archive a remote attacker could send a malicious
> payload within this compressed archive to bypass/evade antivirus protection.
> The succesful exploitation of this flaw allows attackers to plant a
> malicious file on a server or to store unwanted codes (DDOS tools,
> keyloguers, rootkit etc) on the intranet or any private network without
> being detected by the antivirus solution.
>
> The vulnerability concerns the incapacity of the scanner engine to inspect
> the code within the KuaiZip archive.
> Consequently, there is no possibility for the antivirus to detect any
> malicious file or payload on any environment: locally/client side, Mail
> gateway, web mail, cloud scan etc.
>
> IMPACT AND LIMITATIONS:
> As scanners engines do not support this new archive format, and as most
> antivirus are affected, the impact is a high.
> As .kz format is currently only supported by KuaiZip archiver, and as most
> antivirus will detect the malicious known code once extracted from the
> archive, therefore the risk of infection is limited.
>
>
> AFFECTED ANTIVIRUS:
> currently most of them! including Norton, Kaspersky, Nod32/Eset, McAfee,
> Avira...
>
> TESTS AND PoC:
>
> Scans of 2 files on various online multiple antivirus scanners services
> like Virustotal and Virscan.
> Jotti with hackerdefender rootkit: all scanners bypassed (French
> interface: "Rien trouvé" means "Nothing found" ):
>
> Scanners
> [ArcaVir]
> 2012-02-02 Rien trouvé
>     [Frisk F-Prot Antivirus]
> 2012-02-01 Rien trouvé
> [Avast! antivirus]
> 2012-02-02 Rien trouvé
>     [F-Secure Anti-Virus]
> 2012-02-02 Rien trouvé
> [Grisoft AVG Anti-Virus]
> 2012-02-02 Rien trouvé
>     [G DATA]
> 2012-02-02 Rien trouvé
> [Avira AntiVir]
> 2012-02-02 Rien trouvé
>     [Ikarus]
> 2012-02-02 Rien trouvé
> [Softwin BitDefender]
> 2012-02-02 Rien trouvé
>     [Kaspersky Anti-Virus]
> 2012-02-02 Rien trouvé
> [ClamAV]
> 2012-02-02 Rien trouvé
>     [Panda Antivirus]
> 2012-02-02 Rien trouvé
> [CPsecure]
> 2012-02-02 Rien trouvé
>     [Quick Heal]
> 2012-02-02 Rien trouvé
> [Dr.Web]
> 2012-02-02 Rien trouvé
>     [Sophos]
> 2012-02-02 Rien trouvé
> [Emsisoft Anti-Malware]
> 2012-02-02 Rien trouvé
>     [VirusBlokAda VBA32]
> 2012-02-02 Rien trouvé
> [ESET]
> 2012-02-02 Rien trouvé
>     [VirusBuster]
> 2012-02-02 Rien trouvé
>
> http://r.virscan.org/report/dda3f262c01ceb38e08cb67f3109abcd.html
> http://r.virscan.org/report/6614b0d24738fe1f0b87e4d26588e9aa.html
>
> https://www.virustotal.com/file/87b99979701e12e5a349a8875e145bbf46157272a07dde149ddbd0d0c347746c/analysis/1328206676/
>
> http://virusscan.jotti.org/fr/scanresult/20295e6bca35855fbac9ffb3490d234787e2d773
>
> http://virusscan.jotti.org/fr/scanresult/ac117935136f362f6167bf6f14b1fe3dba7bfe12
>
>
> Local scan on 3 different PC with 3 different installed antivirus (latest
> version):
> Kaspersky antivirus 2012, Avira free, Avast free: all vulnerable.
>
> The two files are two .kz archives: an eicar test file for the first one (
> eicar.com) and HackerDefender rootkit for the second one.
>
> A package of the test files and local scans screenshots can be found here
> (click on "telecharger ce fichier"):
> http://dl.free.fr/kAPjT6Gs4
>
> NB: It's a .kz archive :) to prevent your antivirus to download the file!
> KuaiZip required for extraction!
>
>
> VENDORS RESPONSE:
>
> Currently only 2 vendors have been contacted: Kaspersky and FSB labs,
> mostly because their developpers are in mail contacts.
> kareldjag(dog)yahoo.fr
>
>
> Regards
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/