Wednesday, November 02, 2005

Magic Byte Analysis .. Is it really a vulnerability?

Recently everybody has been paying some attention to the 'magic byte' vulnerability disclosed by Andrey Bayora. See also my former Blog for more info about this. The vulnerability advisory basically states that the majority of virus scanners are unable to detect some malware if a fake file header is prepended to the malicious file. This goes all about script-like malware going undetected if an MZ header, for instance, is prepended to the file. Most virus scanners seem to assume that such a file is an executable, and will therefore no longer detect the malware. To circumvent this, you need to do scan the entire file for file headers/malicious code.
The whole issue gives rise to an interesting discussion: is this actually a vulnerability?
As the (complete) file's hash has been changed, it's no longer exactly the same file. This means that the malicious file is technically a new variant or even a new malware(virus), not the same old malware. So in my opinion this is not a real vulnerability. The question is, does the so-called 'vulnerability' pose a real threat?
I don't think so. Of course, it remains to be seen exactly how this 'vulnerability' will be exploited. Anyway most AV vendors are adding a new feature... It's a little bit like detecting a new virus. It's not a vulnerability.