[Full-Disclosure] Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2
From: QVincent_DUVERNET_=28Nolm=EB_Informatique=29?= Q?= (vincent.duvernet_at_nolme.com)
Date: Sat, 05 Mar 2005 13:05:55 +0100 To: Andrey Bayora <email@example.com>
Symantec found something that other editor didn't ? Whoaw, impressive
for a software which let go throw 700 malwares on PC ;p
About Panda Software version, you've used on old version of Internet
Security 2004 which is actually : 8.05.02 (don't found anything too)
Internet security 2005 is : 9.01.02
Andrey Bayora wrote:
>The first part is here:
>First, this post isn’t about “how dangerous GDI+ bug or malicious JPEG
>image”, but “how good” is your antivirus software.
>The issue is: only 1 out of 23 tested antivirus software can detect
>malicious JPEG image (after 6 month from the public disclosure date).
>Here is the link to results, JPEG file and my paper (GCIH practical)
>that describes how to create this one:
>This one vendor (Symantec) that can detect it, obviously do it with the
>“heuristic” detection (I don’t work for them and didn’t send them any
>file, moreover I know cases when Symantec didn’t detect a virus that
>“other” vendors do).
>ClamAV antivirus detected this JPEG file 4 month ago, but strangely
>can’t detect it now.
>What about 22 antivirus software vendors that miss this malicious JPEG?
>The pattern or problem in these JPEG files is known and still many
>antivirus software vendors miss it, did it can represent the quality of
>OK, we know that any antivirus software can provide 100% protection…
>P.S. After my first post (October 14,2004) about this problem – all
>antivirus software vendors added detection to the demo file provided by
>me in couple of hours. Sadly for me, but it seems that they prefer
>“playing cat and mouse” and not improve heuristic engines…
Full-Disclosure - We believe in it.