Virus Scanners Made Moot by New Exploit

By Larry Loeb  |  Posted 2005-11-03 Print this article Print

Opinion: A workaround discovered by a virus researcher allows malware to fly under the radar of most popular virus scanning software.

Anti-virus software has always lived with the tradeoff of performance versus thoroughness. Its led to some software design decisions on the methods of how files are actually scanned that are now coming home to roost. Recently, researcher Andrey Bayora revealed that it is possible to fool the scanners into thinking that a file under scan is one kind, when it is in actuality something entirely different. Bayora (of, a Russian-born Israeli, has issued an advisory that details how to bypass many popular Windows AV programs.
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. Bayora says that he told vendors in July about what he found. He also says that none of them ever got back to him. The exploit is fully discussed in the white paper he wrote that is available at Basically, the exploit prepends a header byte (he used "MZ"—the first bytes of an EXE file) that convinces the scanner that the file is not the type of file that the suffix averred that it was. The file types of BAT, EXE and EML were postpended, and in his test suite could be executed as any of the file types. So, what this points out is that unrelated data can be prepended without preventing or adversely affecting the execution/rendering of a file.

But there is another, more insidious problem that this technique highlights. Read the full story on Security IT Hub: Virus Scanners Made Moot by New Exploit

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel