Full Disclosure mailing list archives

Re: Re: Multiple Antivirus Scanners DoS attack.

From: bipin gautam <visitbipin () yahoo com>
Date: Tue, 15 Jun 2004 04:39:37 -0700 (PDT)


--- Shashank Rai <shash () etisalat-nis ae> wrote:

On a Fedora Core-2 box.....

Virus scanning report  -  15 June 2004 @ 7:50

F-PROT ANTIVIRUS
Program version: 4.4.2
Engine version: 3.14.11

VIRUS SIGNATURE FILES
SIGN.DEF created 12 June 2004
SIGN2.DEF created 12 June 2004
MACRO.DEF created 7 June 2004

Search: /home/shash/tmp/SERVER_dwn.zip
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->1/~.cab->0.cab->cab.com


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->1/~.zip->bipin.zip


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->2/~.cab->0.cab->cab.com


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->2/~.zip->bipin.zip


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->3/~.cab->0.cab->cab.com


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->3/~.zip->bipin.zip


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->4/~.cab->0.cab->cab.com


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->4/~.zip->bipin.zip


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->5/~.cab->0.cab->cab.com


Infection: EICAR_Test_File

/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->5/~.zip->bipin.zip


Infection: EICAR_Test_File

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 657
Infected: 10
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 1:13


f-prot vulnerable?????



Moreover, If you download such archives from an
internet loaction, or 'copy/paste' such files from a
distination. Those Vulnerable "Antivirus Softwares"
with their auto-protect engines active, may also
trigger a DoS.

There have been reports in some discussion fourms,

*Panda Antivirus
*Norton AV Corporate Ed. (version 7.60.926)
*MacAfee uvscan scan for Linux (4.3.20)
*DrWeb (http://www.drweb.ru/)
*AVG v7.0.251
*ClamAV version 0.07, 0.72   <--- please confirm this!
*eTrust InoculateIT version 6.0


   Are vulnerable.


*F-Prot 4.4.2 for Linux did took considerable amount
of time  [avg: 90 seconds] while scanning the file,
there have been conflicting report... whether or not,
F-Prot is vulnerable. But a VA software that takes so
long to scan just a 15 kb file...... is a strange
behavior. I'll personally call, it vulnerable... cauz
a DoS could likely be triggered.


You can get updates of this advisory at,
http://www.geocities.com/visitbipin/Multiple_AV_DoS.html

Regards,

Bipin Gautam
http://www.geocities.com/visitbipin/




                
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Multiple Antivirus Scanners DoS attack. Shashank Rai (Jun 14)
- Re: Re: Multiple Antivirus Scanners DoS attack. bipin gautam (Jun 15)
- <Possible follow-ups>
- Re: Multiple Antivirus Scanners DoS attack. Luca Gibelli (Jun 16)