This might also affect bitdefender and f-prot.
net-mail/antivirus/ticho please verify and advise.
Have any test sample I can try ? Unfortunately, both bitdefender and f-prot are binary-only, so we can only wait for an upstream release.
Created attachment 50124 [details] rfc2397_bypass.html RFC2397-encoded virus image
Created attachment 50125 [details] rfc2397_decoded.gif GIF-encoded virus image
ticho: see http://www.intrusense.com/av-bypass/image-bypass-advisory.txt I've attached the test virus image (therically incomplete so harmless, but view at your own risk) and the RFC-2397 encoded version. Tested using vlnx (McAfee) 432e-r1: $ /opt/vlnx/uvscan --version Scan engine v4.3.20 for Linux. Virus data file v4424 created Jan 31 2005 $ /opt/vlnx/uvscan rfc2397_decoded.gif /root/rfc2397_decoded.gif Found the Exploit-MS04-028 trojan !!! $ /opt/vlnx/uvscan rfc2397_bypass.html $ so it evades detection. Could a clamav user confirm that the 0.81 now fixes this, and other GEntoo-provided antivirus users test their own setups ?
ticho@thelair ~/dl/vir $ clamscan * rfc2397_bypass.html: Exploit.JPEG.Comment.FE FOUND rfc2397_decoded.gif: Exploit.JPEG.Comment.FE FOUND ----------- SCAN SUMMARY ----------- Known viruses: 30065 Scanned directories: 0 Scanned files: 2 Infected files: 2 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.457 sec (0 m 0 s) ticho@thelair ~/dl/vir $ bdc --all * BDC/Linux-Console v7.0 (build 2490) (i386) (Dec 10 2003 16:11:35) Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved. /home/ticho/dl/vir/rfc2397_decoded.gif infected: Exploit.Win32.MS04-028.Gen Results: Folders :0 Files :2 Packed :0 Infected files :1 Suspect files :0 Warnings :0 Identified viruses:1 I/O errors :0 ticho@thelair ~/dl/vir $ f-prot * Virus scanning report - 1 February 2005 @ 15:00 F-PROT ANTIVIRUS Program version: 4.5.3 Engine version: 3.16.1 VIRUS SIGNATURE FILES SIGN.DEF created 30 January 2005 SIGN2.DEF created 30 January 2005 MACRO.DEF created 27 January 2005 Search: rfc2397_bypass.html rfc2397_decoded.gif Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /home/ticho/dl/vir/rfc2397_decoded.gif Contains the exploit named W32/MS04-028@expl Results of virus scanning: Files: 2 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 ---------------------------------------------------------- Summary: clamav-0.81 detects both bitdefender-console-7.0.1 only detects .gif f-prot-4.5.3 only detects .gif
I just got a response e-mail from Daniel Dumitrache, BitDefender Technical Support Engineer, stating that they're working to fix the problem. Frisk Software (f-prot) have also been notified.
Andrej any news on this one?
Unfortunately, nothing new - there has been no new version of bitdefender, nor f-prot, and current malware databases of neither of these two do not recognize the html-encoded exploit.
New f-prot release (4.5.4, about to be committed into portage) still doesn't catch the html-encoded malware. :(
Andrej: any update ? In fact I was wondering if we should be considering antivirus failures to detect malware as security vulnerabilities. We don't consider signature updates as security fixes, so why should we consider engine fixes as security fixes ? If an antivirus engine executes arbitrary code while parsing a file, yes, it's a vulnerability. But if it fails to detect a given threat it's just that it's not up to date... Input welcome !
I agree with Koon on this one. It's a software defect not a vulnerability per se -> Closing. Feel free to reopen if you disagree.
I fully agree with you, and am tired of waiting for upstream to do something about it. BitDefender people atleast responded that they will see about it, but neither them nor Frisk software seem to care about it. *shrugs*
