Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-10-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Multiple anti-virus software evasion

Published: 2004-10-19
Last Updated: 2004-10-20 01:05:23 UTC
by Jason Lam (Version: 1)
0 comment(s)
Multiple Anti-virus software evasion

Anti-virus software from McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV are known to be vulnerable to an evasion attack where the attacker is able to craft a compressed file (zip) with malicious code and evade the scanning by anti-virus software.


The problem is caused by incorrect handling of header information within the zip file. Some anti-virus software would skip the scan for files that has zero size as indicated by the header. The header size information does not affect the decompression of the zip file.
Reference: http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true
Keep chasing Botnets

We have received numerous submissions of Botnets and we are working with authorities to shut them down. Thanks to all who have submitted info to us. If you have any info on Botnets, feel free to send it in.


------------------

Jason Lam, jason /AT/ networksec.org
Keywords:
0 comment(s)
Diary Archives