Anti-virus software has always lived with the tradeoff of performance versus thoroughness. Its led to some software design decisions on the methods of how files are actually scanned that are now coming home to roost.
Recently, researcher Andrey Bayora revealed that it is possible to fool the scanners into thinking that a file under scan is one kind, when it is in actuality something entirely different. Bayora (of www.securityelf.org), a Russian-born Israeli, has issued an advisory that details how to bypass many popular Windows AV programs.
/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis InternetsSecurity IT Hub.
Bayora says that he told vendors in July about what he found. He also says that none of them ever got back to him. The exploit is fully discussed in the white paper he wrote that is available at www.securityelf.org/magicbyte.html.
Basically, the exploit prepends a header byte (he used “MZ”—the first bytes of an EXE file) that convinces the scanner that the file is not the type of file that the suffix averred that it was. The file types of BAT, EXE and EML were postpended, and in his test suite could be executed as any of the file types. So, what this points out is that unrelated data can be prepended without preventing or adversely affecting the execution/rendering of a file.
But there is another, more insidious problem that this technique highlights.
/zimages/6/28571.gifRead the full story on Security IT Hub:Virus Scanners Made Moot by New Exploit