Background Print only logo
Viestintäviraston etusivulle
Home Page | Advice | Reports | Activities |

CERT-FI:

P.O. Box 313
FI-00181 Helsinki
Phone: +358 9 6966 510
Fax: +358 9 6966 515

PGP keys

Finnish Communications Regulatory Authority (FICORA):


Itämerenkatu 3 A
P. O. Box 313
FI-00180 HELSINKI
Phone: +358 9 6966 500
Fax: +358 9 6966 410

Detailed contact information

 Home Page > Reports > 2010 > CERT-FI Advisory on Antivirus Signature Evasion Using Archive Files

CERT-FI Advisory on Antivirus Signature Evasion Using Archive Files

Target - servers and server applications
- workstations and end user applications
Access Vector - remote
Impact - security bypass
Remediation - fix provided by vendor

Details

Several weaknesses regarding the handling of compressed archives have been found in antivirus and other signature based detection engine implementations. CERT-FI and ReversingLabs have coordinated the remediation efforts of these vulnerabilities.

The case is related to failures in antivirus software and other signature based detection software and their archive format parsing. The reporter of the weaknesses has crafted several non-encrypted ZIP, CAB, GZIP, 7Z and RAR archive files that are considered valid by the relevant decompressors, but signature based detection systems cannot detect malicious content contained within them. This weakness can be exploited to hide known malicious content inside a non-encrypted archive file.

The vulnerability should be considered more serious on gateway-based antivirus software and on isolated networks with dedicated antivirus scanning workstations. In these scenarios, malware contained in archive files may remain undetected if the end-user workstation does not check extracted files for malware. In case of host-based antivirus software, the malicious file may still be detected when extracted or executed.

Vulnerability Coordination Information and Acknowledgements

CERT-FI and ReversingLabs, the finder of the weaknesses, have coordinated the release of this issue with the affected vendors. CERT-FI would like to thank Mario Vuksan from the ReversingLabs Corp for reporting the vulnerability to us, and the vendors for co-operation in the remediation efforts.

Vendor Information

Authentium

  • Fixed in the latest definition files

BitDefender

  • An updated version of BitDefender should be able to handle the files.

ClamAV

ESET
  • The problem was resolved on March 17th 2010 via standard product updates; engine module version 4951, archive module version 1109.


F-Secure

Microsoft

  • For this issue, we do not consider circumvention of AV signatures using ZIP files (eg. encrypted container) as a vulnerability. Because the container can legitimately provide means of obfuscation/encryption AV is not expected to detect payload in all containers. Instead AV is expected to detect the content/payload upon opening the container (decompression/decryption). When the zip file is opened and the malware is decompressed, the AV software should detect the malware.
Panda

  • Fixed in scanner version 10.0.2.7 with the latest signature updates
Sophos

  • We have added more intelligence to identify malformed archive files and stop them from bypassing our engine. This concerns also the on-access scanner.
Sunbelt Software

  • Sunbelt Software has developed fixes for these evasion techniques.
Virusbuster
  • Fixed in version EDK 5.1.0.16.

		
		
	








	
	
	
	

	
	


	

	
	
	
	
	
	


	





	







	
Remediation




	
	

	
	


	

	
	
	
	
	
	


	














	

	
	
	
	

	
	

	
	
	
	

	
	
		
			
			
			
			
			
			
			
						
			
			
			
				
Patch the vulnerable software components according to the guidance published by the vendor. Where available, refer to the 'Vendor Information' section of this advisory for platform specific remediation.

		
		
	








	
	
	
	

	
	


	

	
	
	
	
	
	


	





	







	
References




	
	

	
	


	

	
	
	
	
	
	


	














	

	
	
	
	

	
	

	
	
	
	

	
	
		
			
			
			
			
			
			
			
						
			
			
			
				
		
		
	








	
	
	
	

	
	


	

	
	
	
	
	
	


	





	







	
Contact Information




	
	

	
	


	

	
	
	
	
	
	


	














	

	
	
	
	

	
	

	
	
	
	

	
	
		
			
			
			
			
			
			
			
						
			
			
			
				
CERT-FI Vulnerability Coordination can be contacted as follows:


Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA
#343848] in the subject line


Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)


Fax : 
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI
encourages those who wish to communicate via email to make use of our
PGP key. The key is available at 
https://www.cert.fi/en/activities/contact/pgp-keys.html
The
CERT-FI vulnerability coordination policy can be viewed at https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html.

		
		
	








	
	
	
	

	
	


	

	
	
	
	
	
	


	





	







	
Revision History




	
	

	
	


	

	
	
	
	
	
	


	














	

	
	
	
	

	
	

	
	
	
	

	
	
		
			
			
			
			
			
			
			
						
			
			
			
				12 Apr 2010 13:00 UTC: Released
14 Apr 2010 12:30 UTC: Added link to JPCERT/CC advisory, revised wording on severity
19 Apr 2010 14:25 UTC: Revised the Virusbuster statement
20 Apr 2010 14:44 UTC: Added ReversingLabs Corp advisory
23 Apr 2010 08:35 UTC: Added statements from Panda, Sophos and Sunbelt Software
4 Jun 2010, 13:37 UTC: Added JVNDB reference
6 Aug 2010, 07:48 UTC: Added ESET statement

		
		
	








	
	
	
	

	
	


	

	
	

	
	




	
	








	

  	Page updated 06.08.2010
     
    Print version
    Print version