Summary
Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored.
Credit:
The information has been provided by SecuBox Labs.
Details
Vulnerable Systems:
* BitDefender Antivirus
* Trustix Antivirus
* Avast! Antivirus
* Cat Quick Heal Antivirus
* Abacre Antivirus
* VisNetic Antivirus (bypass only with manual scan)
* AntiVir Personnal Edition Antivirus
* Clamav for Windows Antivirus
* Antiy Ghostbusters Professional Edition
Immune Systems:
* Kaspersky Antivirus
* AVG Free
Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename.
Proof of Concept:
If your Antivirus options are:
- "Scan on accessed files"
- "A real time protection"
If you want to test this PoC, don't forget to temporarily disabling before handling!
Select only a "detected" program that does not have to disturb the correct operation of your machine!
Find a program detected by your software protection.
BitDefender for example don't like ClearLogs.
ClearLogs clears the local or remote event log computer.
Ref: http://ntsecurity.nu/downloads/clearlogs.exe
BitDefender >> Detected: Application.Clearlog.A
Rename clearlogs.exe to clearlogs[Here press Alt + 1].exe
Alt + "some numbers" generate specials ASCII characters.
Ref: http://www.lookuptables.com
After that re-activate the real time protection.
Then if you scan it ...
[100%] "Scan successful: no viruses found"
Open your CMD and execute.
X:\SecuBox.Labs\clearlogs ~ .exe
ClearLogs 1.0 - (c) 2002, Arne Vidstrom
Usage: clearlogs [\\computername] <-app / -sec / -sys>
-app = application log
-sec = security log
-sys = system log
If we take a look to [Show report] - Statistics
Scan path: X:\SecuBox.Labs\clearlogs?.exe
Folders: 0
Files: 4
Archives: 0
Packed files: 0
Identified viruses: 0
Infected files: 0
Warnings: 0
Suspect files: 0
Disinfected files: 0
Deleted files: 0
Copied files: 0
Moved files: 0
Renamed files: 0
I/O errors: 0
Scan time: 00:00:01
Scan speed (files/sec): 4
source: http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html
Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored.
Credit:
The information has been provided by SecuBox Labs.
Details
Vulnerable Systems:
* BitDefender Antivirus
* Trustix Antivirus
* Avast! Antivirus
* Cat Quick Heal Antivirus
* Abacre Antivirus
* VisNetic Antivirus (bypass only with manual scan)
* AntiVir Personnal Edition Antivirus
* Clamav for Windows Antivirus
* Antiy Ghostbusters Professional Edition
Immune Systems:
* Kaspersky Antivirus
* AVG Free
Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename.
Proof of Concept:
If your Antivirus options are:
- "Scan on accessed files"
- "A real time protection"
If you want to test this PoC, don't forget to temporarily disabling before handling!
Select only a "detected" program that does not have to disturb the correct operation of your machine!
Find a program detected by your software protection.
BitDefender for example don't like ClearLogs.
ClearLogs clears the local or remote event log computer.
Ref: http://ntsecurity.nu/downloads/clearlogs.exe
BitDefender >> Detected: Application.Clearlog.A
Rename clearlogs.exe to clearlogs[Here press Alt + 1].exe
Alt + "some numbers" generate specials ASCII characters.
Ref: http://www.lookuptables.com
After that re-activate the real time protection.
Then if you scan it ...
[100%] "Scan successful: no viruses found"
Open your CMD and execute.
X:\SecuBox.Labs\clearlogs ~ .exe
ClearLogs 1.0 - (c) 2002, Arne Vidstrom
Usage: clearlogs [\\computername] <-app / -sec / -sys>
-app = application log
-sec = security log
-sys = system log
If we take a look to [Show report] - Statistics
Scan path: X:\SecuBox.Labs\clearlogs?.exe
Folders: 0
Files: 4
Archives: 0
Packed files: 0
Identified viruses: 0
Infected files: 0
Warnings: 0
Suspect files: 0
Disinfected files: 0
Deleted files: 0
Copied files: 0
Moved files: 0
Renamed files: 0
I/O errors: 0
Scan time: 00:00:01
Scan speed (files/sec): 4
source: http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html