Thursday, October 27, 2005

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability!

AUTHOR: Andrey Bayora ( For more details, screenshots and examples please read his article "The Magic of magic byte" at . In addition, you will find a sample"triple headed" program which has 3 different 'execution entry points',depending on the extension of the file (exe, html or eml) - just change the extension and the SAME file will be executed by (at least) THREE DIFFERENT programs! (thanks to contributing author Wayne Langlois from

DATE: October 25, 2005
VULNERABLE vendors and software (tested):1. ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver2005-03-06, package ver 2005-06-21)2. AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)3. eTrust CA (ver, engine 11.9.1, vir sig. 9229)4. Dr.Web (v.4.32b, update 27.06.2005)5. F-Prot (ver. 3.16c, update 6/24/2005)6. Ikarus (latest demo version for DOS)7. Kaspersky (update 24 June, ver. 5.0.372)8. McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,engine 4.4.00, dat 4.0.4519 6/22/2005)9. McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521,engine 4400)10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern2.701.00)12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.006/23/2005)13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)14. UNA - Ukrainian National Antivirus (ver. kernel v.265)15. Sophos 3.91 (engine 2.28.4, virData 3.91)
IMPORTANT NOTE:Similar vulnerability may exist in many other antivirus\anti-spyware desktop and gateway products. In addition, various "file filter" solutions may be affected as well.

DESCRIPTION:The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and.EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected. NOTE: In his test, he used the EXE headers (MZ), but it is possible to use other headers (magic byte) that will lead to the same effect. ANALYSIS:Some file types like .bat, .html and .eml can be properly executed even if they have some "unrelated" beginning. For example, in the case of .BAT files - it is possible to prepend some "junk" data at the beginning of thefile without altering correct execution of the batch file. In his tests, he used the calc.exe headers (first 120 bytes - middle of the dosstub section)to change 5 different files of existing viruses. In addition, the simplest test of this vulnerability is to prepend only the magic byte (MZ) to the existing malicious file and check if this file is detected by the antivirus program.

I really hope that most AV vendors will react ASAP to this because this vulnerability could be used by virus writers...

Wednesday, October 26, 2005

Skype vulnerabilities

Two new vulnerabilities in the free IP telephone software Skype has been found...
CVE entries: CVE-2005-3265
Secunia advisory:
Please upgrade to the new version ASAP, they have been rated highly critical by Secunia, and high by Skype.
Download here:
You see, if you got a popular product it will be always targeted. Let's see what comes next... a virus using these exploits...

Monday, October 24, 2005

Not MS05-047 .. Just MS05-039: IRC.Mocbot

After further analysis, this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Microsoft's new Anti-Virus product ridiculous?

NO NO, that's not what I've said. They are very late to come inside this market. I only have my doubts about the new MS anti-virus product. And that's what I've told exactly to a local newspaper over here called 'De Morgen'. Microsoft got another anti-virus product several years ago without real success. This time I think it will be different. With the acquisition of several anti-virus companies and their search for anti-virus people and the continuing help from the anti-virus vendors to the MS Virus Initiative project it seems that Microsoft could have a good anti-virus product. Has Microsoft enough power to convince companies and home users to only buy their product is another question which will remain open for the next years. I thought we got already a complete anti-malware market... Maybe Microsoft could thank the anti-virus industry...if they will have a succesful product.

Sunday, October 23, 2005

MS05-047 first malware found: IRC.Mocbot

And now we have IRC.Mocbot ....
This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware I've seen. Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory. The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded). Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site. Patch against this vulnerability was published in the last monthly update set from Microsoft. The vulnerability can be exploited via 139/TCP and 445/TCP.

Saturday, October 22, 2005

Data News and De Morgen again ..

Two new interviews of me just appeared. You find one in the Accountancy Special of Data News and you find one in the Newspaper De Morgen. Within Data News I looked into the security of Asp applications. The interview in De Morgen seems to be very controversial. I gave some comments about the new upcoming anti-virus product of Microsoft and the journalist used my most heavy statement out of an interview of 30 minutes ... I will put them up next week on my known press page which you can find at .

Sunday, October 16, 2005

Doombot, a mix of of other bots and Mydoom

I received some reports of a few new massmailers spreading. This is detected either as a Mytob variant or as "Doombot". It mixes the code of Mydoom, Mytob and some IRCBots. Hopefully we will not see too much of these troublemakers ... I'm ready to go to Luxembourg for some interesting consultancy work. Even large corporates seems not always to apply their securiy policy quite well. So let's change this over there and help this company, like I always do.

Wednesday, October 12, 2005

Eddy 'Teaching your Children well'.

I just updated my press site with my joint Research paper (with David Harley) Teach you Children well. I've presented this during the recent Virus Bulletin Conference 2005 in Dublin, Ireland. You can read it at my press page which you can find at

Eddy in Newspaper De Tijd

Yesterday 11 October Newspaper De Tijd pubished a large interview with me concerning the problems related with on-line banking. You can find more of this shortly at our press page. I also published a book review for Virus Bulletin in the October 2005 version. You can find this also at the same page.

Trojans for gaming platforms.

Trojans for gaming platforms are taking off - Sony PlayStation Portables last week, Nintendo DS - today. That takes care of two major handheld entertainment systems. MS Xbox next week?
So far the only result is broken consoles. And only for people who chose to download suspicious files or pirated games. However, any time virus writers break open a new platform, the community should take notice...
Anyway, now that our computer games have been violated, what will be next?

Sunday, October 09, 2005

After the conference 2

After the conference 2Picture of the Round Tower of Glendalough ... Time for a break

View the file information

Moblog from my mobile phone

After the conference

After the conferencePicture of the Upper Lake (Glendalough)

View the file information

Moblog from my mobile phone

Saturday, October 08, 2005

Virus bulletin conference 2005

Virus bulletin conference 2005The ending picture...

View the file information

Moblog from my mobile phone

Friday, October 07, 2005

Virus Bulletin continued

Virus Bulletin continuedThe gala dinner last night...

View the file information

Moblog from my mobile phone

Thursday, October 06, 2005

Vb 2005 conference news and new approaches.

Vb 2005 conference news and new approaches.I just gave my presentation about 'Children and security education'. During the conference we got a small outbreak of a new Sober variant. We even have a new CME number for it. I'll have a closer look at this new approach later in this Blog.

View the file information

Moblog from my mobile phone

Monday, October 03, 2005

Teach Your Children Well.

I'm nearly ready to go to the Virus Bulletin conference where I will do a duo presentation concerning our new research paper : 'Teach your children well'. The research has been done by David and Judith Harley and myself. It's all about ICT security and the younger generation.
I'll try to keep you updated with some nice live pictures. You will find more about the paper after the conference at my website. You can find more about the conference at the website (Virus Bulletin).
Dublin, here we come!

Sunday, October 02, 2005

Unit 4 Agresso 25 years old!

Unit 4 Agresso 25 years old!Noxs is part of the holding with over 1500 people... Up for the next 25 years! The picture was taken last night during a very big party...

View the file information

Moblog from my mobile phone