Bugtraq mailing list archives
[Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile (fwd)
From: Dave Ahmad <da () securityfocus com>
Date: Tue, 16 Sep 2003 20:21:30 -0600 (MDT)
David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- The battle for the past is for the future. We must be the winners of the memory war. ---------- Forwarded message ---------- Return-Path: <full-disclosure-admin () lists netsys com> Delivered-To: da () mail securityfocus com Received: (qmail 13412 invoked by alias); 17 Sep 2003 00:03:50 -0000 Delivered-To: vulq () securityfocus com Received: (qmail 13392 invoked from network); 17 Sep 2003 00:03:49 -0000 Received: from netsys.com (199.201.233.10) by mail.securityfocus.com with SMTP; 17 Sep 2003 00:03:48 -0000 Received: from NETSYS.COM (localhost [127.0.0.1]) by netsys.com (8.11.6p2/8.11.6) with ESMTP id h8GNXJ613371; Tue, 16 Sep 2003 19:33:19 -0400 (EDT) Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by netsys.com (8.11.6p2/8.11.6) with ESMTP id h8GJxOL08425 for <full-disclosure () lists netsys com>; Tue, 16 Sep 2003 15:59:29 -0400 (EDT) Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP id 8040310E5DC for <full-disclosure () lists netsys com>; Tue, 16 Sep 2003 12:59:22 -0700 (PDT) Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id h8GJxMKs062435 for <full-disclosure () lists netsys com>; Tue, 16 Sep 2003 12:59:22 -0700 (PDT) (envelope-from auto9115 () hushmail com) Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id h8GJxMA9062434 for full-disclosure () lists netsys com; Tue, 16 Sep 2003 12:59:22 -0700 (PDT) Message-Id: <200309161959.h8GJxMA9062434 () mailserver2 hushmail com> To: full-disclosure () lists netsys com Cc: From: <auto9115 () hushmail com> Subject: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Sender: full-disclosure-admin () lists netsys com Errors-To: full-disclosure-admin () lists netsys com X-BeenThere: full-disclosure () lists netsys com X-Mailman-Version: 2.0.12 Precedence: bulk List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists netsys com?subject=unsubscribe> List-Id: Discussion of security issues <full-disclosure.lists.netsys.com> List-Post: <mailto:full-disclosure () lists netsys com> List-Help: <mailto:full-disclosure-request () lists netsys com?subject=help> List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists netsys com?subject=subscribe> List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/> Date: Tue, 16 Sep 2003 12:59:22 -0700 Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Version tested: 3.0.0.194 (latest version) Date: Sept. 13, 2003 Background: Viruses have started to show up on Personal Data Assistants (PDAs) and handheld wireless devices. Although there are currently no viruses in the wild that infect the Windows CE operating system, may companies have released virus scanners for Windows Mobile (formerly PocketPC). Examples include PC-cillin, Airscanner, F-secure, and McAfee. Since McAfee was recently selected to go OEM on all new Dell Axim handhelds, Symantec scrambled to get a product out. They have just released their final version (available for $39.99 for a one year license), but unfortunately, in the scramble to release it they apparently forgot to test it to see if it is working ;) Vulnerability #1: Real-time scanning appears to not work. Symantec is currently the only AV company that claims to do real-time scanning in the background on Windows CE. This claim gives them a significant market advantage. However, we can see that it is not true real-time scanning. For example, if the scanner is active in memory and you open the famous Eicar test virus (eicar.exe) into RAM, the scanner does not detect it. It is not until you "save" a copy of a file with the Eicar to your file system does Symantec detect it. So it is not real-time scanning of viral code, but rather just a simple monitor to activate a scan any time a file is saved. Therefore, this does not protect against hostile code active in RAM. Vulnerability #2: The Virus scanner does not appear to work at all! Like any antivirus scanner, Symantec detects the Eicar test virus (eicar.exe or eicar.txt). At least, at first glance it appears to detect it. However, you can easily defeat this by adding a few bytes of random text before or after the Eicar string. For example, if you use a hex/text editor to add a few random bytes of text before and after the string, then Symantec won't detect it! However, other AVs easily detect it, as they should. An AV scanner should be able to detect a byte stream anywhere in the file, but Symantec is easily bypassed with this rudimentary trick. These exploits have not been submitted to Bugtraq, since that mailing list is now owned by Symantec, and they have more "selective" full disclosure than this list. Don Cheatham Wireless Network Engineer Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile (fwd) Dave Ahmad (Sep 16)