Thursday, October 8, 2009

Do you trust your AntiVirus?

I know the topic of "how crappy signature based AVs are" is already beaten, and there are thousands of other posts about it, but I had to give it my own perspective.

But first, I guess you are running an OS which leaves you no choice but having an AV running. Otherwise, you're probably reading this for fun and knowledge, which is even better.

The vulnerability I'll be discussing about is quite old now (8 months), and is about the way Adobe Acrobat Reader parses PDF files with JBIG streams within. You can read an analysis of the vulnerability in other places. Since this isn't a new vulnerability, you'd guess that by now AV products would be able to block it well. You guess wrong.

I've taken a sample which is generally blocked by most AV products, and did a little modification to the 5th byte in the stream. The modification left the 6th bit on, so the file is still malicious. Now have a look at the first picture below - only 1 AV caught it as malicious.
Let's make another modification and change some few more bits, still leaving the 6th bit on... drum roll... not even a single AV did the job (second picture below). The file has passed and could potentially exploit the unsuspecting user who believes that having a decent AV would keep him safe.


  1. Personally I feel it is on the border of felony. I mean people pay good money for these products.
    If only they knew what they are getting...

  2. Well, no one reads the fine print, but I guess there's a line that says you don't get 100% protection, and not even near that number.

    Anyway, now that my samples are at VirusTotal, the AV vendors would get them, and block them as well. Not that I couldn't engineer some more samples... :)

    The more reasonable solution would be to actually parse the file and look for the exploit (instead of singing samples which are in the wild), but that has a great cost on the amount of work and performance. Besides, the end user don't know that, and doesn't care about it.

  3. I wonder if you used my particular antivirus of choice...I would have liked to see how they fared in this test..

  4. Mike, as you can see in the screenshots, i used VirusTotal, which always uses the latest version of Sophos, along the other AVs. Just like the others - it failed.