Thursday, October 8, 2009

Do you trust your AntiVirus?

I know the topic of "how crappy signature based AVs are" is already beaten, and there are thousands of other posts about it, but I had to give it my own perspective.

But first, I guess you are running an OS which leaves you no choice but having an AV running. Otherwise, you're probably reading this for fun and knowledge, which is even better.

The vulnerability I'll be discussing about is quite old now (8 months), and is about the way Adobe Acrobat Reader parses PDF files with JBIG streams within. You can read an analysis of the vulnerability in other places. Since this isn't a new vulnerability, you'd guess that by now AV products would be able to block it well. You guess wrong.

I've taken a sample which is generally blocked by most AV products, and did a little modification to the 5th byte in the stream. The modification left the 6th bit on, so the file is still malicious. Now have a look at the first picture below - only 1 AV caught it as malicious.
Let's make another modification and change some few more bits, still leaving the 6th bit on... drum roll... not even a single AV did the job (second picture below). The file has passed and could potentially exploit the unsuspecting user who believes that having a decent AV would keep him safe.



Posted by at
Labels:

5 comments:

  1. Arseny LevinOctober 8, 2009 at 9:44 PM

    Personally I feel it is on the border of felony. I mean people pay good money for these products.
    If only they knew what they are getting...

    ReplyDelete
  2. UnknownOctober 8, 2009 at 11:29 PM

    Well, no one reads the fine print, but I guess there's a line that says you don't get 100% protection, and not even near that number.

    Anyway, now that my samples are at VirusTotal, the AV vendors would get them, and block them as well. Not that I couldn't engineer some more samples... :)

    The more reasonable solution would be to actually parse the file and look for the exploit (instead of singing samples which are in the wild), but that has a great cost on the amount of work and performance. Besides, the end user don't know that, and doesn't care about it.

    ReplyDelete
  3. Arseny LevinOctober 9, 2009 at 1:56 AM

    Exactly my point

    ReplyDelete
  4. Mike FrizziDecember 24, 2009 at 5:35 PM

    I wonder if you used my particular antivirus of choice...I would have liked to see how they fared in this test..

    ReplyDelete
  5. UnknownDecember 24, 2009 at 6:38 PM

    Mike, as you can see in the screenshots, i used VirusTotal, which always uses the latest version of Sophos, along the other AVs. Just like the others - it failed.

    ReplyDelete

Subscribe to: Post Comments (Atom)