您的位置:标题:GDI+ JPEG变形利用可躲过的病毒测试
时间:2004-10-20 来源:不详 浏览数:次
Title
18/10/2004
GDI+ JPEG Exploit Mutations Can Bypass Antivirus Tests
Summary It seems that most Antivirus software are unable to detect variants of the JPEG exploit.An analysis of how this is accomplished is given below, outlining the general guidelines needed in order to create a variant that can slip by the Antivirus software .
Details Changing some bytes in the known exploit
Most Antivirus vendors issue virus definitions for the publicly and well known JPEG exploit code which uses the string \xFF\xFE\x00\x01 for the buffer overflow. When inspecting the relevant SNORT rule that detects the exploit, one can learn that there are in fact up to 7 mutations to the well known JPEG exploit. The SNORT rule can be found at http://www.snort.org/snort-db/sid.html?sid=2705.
Simply changing the \xFE byte to one of the following - \xE1, \xE2, \xED it is possible to evade many Antivirus software. In addition, variants exist with a \x00 instead of \x01 in the known pattern therefore it is reasonable to assume that such a modification will help evade detection by an Antivirus.
Changing the location of the buffer overflow string
The original public exploit code uses a buffer overflow string near the beginning of the image file (after \xFF\xE0 , \xFF\xEC and \xFF\xEE markers). Apparently it is quite possible to create a malicious JPEG with a buffer overflow string located in different parts of the file, namely in the middle.
Using combinations of the above two techniques to certain degrees and on certain bits and pieces of data, many Antivirus scanners will fail to detect the modified JPEG exploit code, even though essentially it is the same. Andrey has provided two demonstration JPEG image files which are variants of the original and are based on combinations of modifications to the original file. The scan results on those files is shown below.
For 1.jpg:
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Backdoor.Roxe
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
For 2.jpg:
Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
A SANS GCIH paper will be published soon by Andrey with a full analysis of the evasion techniques on this matter.
(责任编辑:笑虎)
Summary It seems that most Antivirus software are unable to detect variants of the JPEG exploit.
Details Changing some bytes in the known exploit
Most Antivirus vendors issue virus definitions for the publicly and well known JPEG exploit code which uses the string \xFF\xFE\x00\x01 for the buffer overflow. When inspecting the relevant SNORT rule that detects the exploit, one can learn that there are in fact up to 7 mutations to the well known JPEG exploit. The SNORT rule can be found at http://www.snort.org/snort-db/sid.html?sid=2705.
Simply changing the \xFE byte to one of the following - \xE1, \xE2, \xED it is possible to evade many Antivirus software. In addition, variants exist with a \x00 instead of \x01 in the known pattern therefore it is reasonable to assume that such a modification will help evade detection by an Antivirus.
Changing the location of the buffer overflow string
The original public exploit code uses a buffer overflow string near the beginning of the image file (after \xFF\xE0 , \xFF\xEC and \xFF\xEE markers). Apparently it is quite possible to create a malicious JPEG with a buffer overflow string located in different parts of the file, namely in the middle.
Using combinations of the above two techniques to certain degrees and on certain bits and pieces of data, many Antivirus scanners will fail to detect the modified JPEG exploit code, even though essentially it is the same. Andrey has provided two demonstration JPEG image files which are variants of the original and are based on combinations of modifications to the original file. The scan results on those files is shown below.
For 1.jpg:
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Backdoor.Roxe
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
For 2.jpg:
Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
A SANS GCIH paper will be published soon by Andrey with a full analysis of the evasion techniques on this matter.
(责任编辑:笑虎)
其他文章
- 上一篇文章: ichat聊天室asp模块存在SQL注入漏洞和演示
- 下一篇文章: YaHooPOPs漏洞exploit分析
相关文章
最近更新
今日推荐
热点文章