[Full-Disclosure] Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

From: QVincent_DUVERNET_=28Nolm=EB_Informatique=29?= Q?= (vincent.duvernet_at_nolme.com)
Date: 03/05/05

  • Next message: class 101: "[Full-Disclosure] [HAT-SQUAD] new exploit code"
    Date: Sat, 05 Mar 2005 13:05:55 +0100
    To: Andrey Bayora <andrey@hiddenbit.org>
    
    

    Symantec found something that other editor didn't ? Whoaw, impressive
    for a software which let go throw 700 malwares on PC ;p

    About Panda Software version, you've used on old version of Internet
    Security 2004 which is actually : 8.05.02 (don't found anything too)
    Internet security 2005 is : 9.01.02

    Andrey Bayora wrote:

    >The first part is here:
    >http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html
    >
    >First, this post isn’t about “how dangerous GDI+ bug or malicious JPEG
    >image”, but “how good” is your antivirus software.
    >
    >The issue is: only 1 out of 23 tested antivirus software can detect
    >malicious JPEG image (after 6 month from the public disclosure date).
    >
    >Here is the link to results, JPEG file and my paper (GCIH practical)
    >that describes how to create this one:
    >http://www.hiddenbit.org/jpeg.htm
    >
    >This one vendor (Symantec) that can detect it, obviously do it with the
    >“heuristic” detection (I don’t work for them and didn’t send them any
    >file, moreover I know cases when Symantec didn’t detect a virus that
    >“other” vendors do).
    >ClamAV antivirus detected this JPEG file 4 month ago, but strangely
    >can’t detect it now.
    >What happened?
    >What about 22 antivirus software vendors that miss this malicious JPEG?
    >The pattern or problem in these JPEG files is known and still many
    >antivirus software vendors miss it, did it can represent the quality of
    >heuristic engines?
    >
    >OK, we know that any antivirus software can provide 100% protection…
    >
    >P.S. After my first post (October 14,2004) about this problem – all
    >antivirus software vendors added detection to the demo file provided by
    >me in couple of hours. Sadly for me, but it seems that they prefer
    >“playing cat and mouse” and not improve heuristic engines…
    >
    >Regards,
    >Andrey Bayora.
    >CISSP, GCIH
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: class 101: "[Full-Disclosure] [HAT-SQUAD] new exploit code"