Antivirus Software Bypass

[Nytro]

Antivirus Software Bypass

Authored by reset557

Various antivirus software on Windows fails to detect, block and/or move malware if the executable file has only execution permission and no read, write, or other bits set.

Abstract:

Some Windows antivirus software fails to detect, block and/or

disinfect/move/delete malware if the malware EXE file has only

execution permission and no read, write or other permissions.

The worst cases are NOD32 and Avast antivirus, which allow the

malware to run unimpeded. Avast has fixed the flaw while NOD32

is still vulnerable as of this writing.

Vulnerable applications:

(OS is Windows XP Professional SP3 with all current updates, unless

otherwise noted)

ESET NOD32 Antivirus 5.0.93.0, 5.0.94.0 and earlier

4.2.71.2 and earlier

4.0.x

AVAST 6.0.1289 Internet Security , engine 111011-2 and earlier

F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2

G-Data AntiVirus 2012 22.0.2.38, 22.0.9.1

Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine

version 6.07.11 and earlier

Non-vulnerable applications:

AVAST 6.0.1289 Internet Security , engine 111022-1 and later

Sophos Endpoint Security and Control, version 9.5

Sophos Anti-Virus 9.5.5, Detection engine 3.23.2

MSE 2.1.1116.0

AVG Anti-Virus 2012.0.1831

Avira Antivirus Premium 2012 (12.0.0.867)

BitDefender Antivirus Plus 2012 Build 15.0.31.1282

F-Secure Anti-Virus 2011 10.51 build 106

Kaspersky Anti-Virus 2012 12.0.0.374

McAfee AbtiVirus Plus 11.0 build 11.0.623

Panda Antivirus Pro 2012

Trend Micro Titanium 2012 5.0.1280

Vulnerability details:

The Windows operating system supports a range of file permissions

for files stored on volumes formatted in the NTFS file system format.

For executing EXE files, the acting user account only needs the

"Execute File" permission, while all others might be missing or denied,

allthough there are cases when this is not true. The exact rule is unknown

to the author. In the system used to test and verify the vulnerability

the Execute File was enough to run programs. On another system running

Windows 7 that was not true. Start of EXE files succeeded only if other

permissions were enabled, including the Read Data permission. On another

older system (XP or Windows 2003) the "Read Attributes" permission was

required for program execution.

The vulnerability discussed here is that some antivirus software fail

to perform their functions if the malware file is missing read, write or

delete permissions. They might not scan the file contents due to missing

read permission, not delete it due to missing Delete permission or not

desinfect it due to missing Write Data permission or not move to quarantine.

For test Windows XP Professional SP3 (running in a virtual machine

provided by Virtualbox v4.1.4) and the Back Orifice 2000 server file

(bo2k.exe) ( BO2K - OpenSource Remote Administration Tool ) as a test file were used (with file

permissions set to only allow execution).

ESET NOD32

Eset NOD32 does nothing when a sample of the Back Orifice 2000 server EXE

file with only the Execute File permission is executed. The bo2k.exe file

is executed, the process works unrestrained and there is no action from

by NOD32. If the same file with full permissions is started, NOD32 report

it as malware, blocks the execution and deletes the file.

AVAST

AVAST 6.0.1289 Internet Security Trial version, engine 111011-2

On start of the test file it claims the file was blocked and moved to

chest (quarantine), but actually it is executed and works (and not moved).

A malware file with full permissions is prevented execution and is

moved to chest.

The problem is resolved in the AVAST engine version 111022-1 and later.

F-Prot

F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2

Prevents execution of the test file, but can not delete it.

(tries, but fails - regular malware file is deleted)

On demand scan completelly ignores test files (does not report them as malware).

G-Data

G-Data AntiVirus 2012 22.0.9.1

Prevents execution of the test file, tries to move it to quarantine, but fails

with no error message.

If the user selects the non-default option to delete the file, that works.

Norman

Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine

version 6.07.11

Does not seem to recognize BO2k server as a threat.

Tested with the bo2k GUI executable: Prevents execution, claims to

move to quarantine,

but file stays where it was.

The Engine version 6.07.13 does not recognize neither the BO2K GUI or

server as malware,

so it was not tested.

Attack scenarios

Possible attack scenarios are (for NOD32 and unfixed AVAST):

- malware infects the system before antivirus software is installed

After the infection the malware removes all permissions except "Execute File"

from its EXE file, making itself undetectable by vulnerable antivirus software

that is installed later.

- malware spreads on NTFS formatted USB flash drives

Malware infects or creates EXE files on USB flash drives and sets the

permissions

to execute-only. Plugging such a USB flash drive into other computers,

the EXE files

can be executed by the user or possibly automatically (Windows

AutoPlay functionality)

undetected by vulnerable antivirus software installed on the target

system. It is

also possible to infect further USB flash drives and other media in the presence

of vulnerable antivirus software (see next item).

- download of malware

Even in presence of vulnerable antivirus software, it is possible to download

and save an EXE file to the system that would otherwise be detected as malware

and blocked. A successfully tested scenario (with NOD32) is:

- create an empty target file

- remove all permission from it, except to write/append data

- download a ZIP file containg an EXE file that is detected as

malware (the bo2k.exe

from the download package on the BO2K home page); the ZIP file triggers no

warnings from NOD32

- using standard command line tools, like unzip, split and cat,

extract the bo2k.exe

file from the ZIP archive in small parts (like 100 bytes), then append

the parts in

correct order to the target file in separate write operations

Not using an .EXE ending in the created file names might heighten the

probability of success.

The result is a fully functioning copy of the bo2k.exe file. In the

above scenario

NOD32 complained about detected malware, but the file was not

(re)moved and could

be executed without any interference from NOD32.

Solution/workaround

Use software listed as not vulnerable above.

Vendor communication

ESET

2011 Aug 7 - ESET is informed about the issue

2011 Aug 8 - ESET replies the information was passed on

2011 Oct 18 - ESET confirms the issue is under investigation (forum post, see

Serious bug reporting - Wilders Security Forums )

2011 Nov 5 - Issue published on Bugtraq

AVAST

2011 Oct 11-17 - vendor was informed

2011 Oct 23 - fixed version of software is released

F-Prot, G-Data, Norman

They were informed about the issues in October 11th or 12th.

As the issue with their products is minor, I did not wait for

a solution from their side.

Regards,

reset557

Txt:

http://dl.packetstormsecurity.net/1111-advisories/malware-bypass.txt

Sursa: Antivirus Software Bypass ? Packet Storm

Edited November 7, 2011 by Nytro