xfocus logo xfocus title
welcome documents programs exploits advisories forums
Xcon Chinese Version

Multiple antivirus failed to scan malicous filename bypass vulnerability

Create: 2006-03-29
Author: root (webmaster_at_xfocus.org)

class: design error

Threat level: medium

Vulnerable anti-virus Engine:
    Kaspersky Antivirus
    Symantec AntiVirus
    F-Prot Antivirus
    ClamWin Antivirus
    Avast Antivirus
    RAV AntiVirus
    Microsoft AntiSpyware
tested anti-virus vendor:

    Symantec AntiVirus Corporate 8.0
    Kaspersky Antivirus Personal Pro
    Kaspersky Antivirus For MS NTServer
    F-Prot Antivirus 3.16c
    ClamWin Antivirus 0.87
    Microsoft AntiSpyware beta1


   Windows system may use the many kinds of special mark as filename, some anti-virus engines are unable to analyze the special structure document filename, thus failed to file operate.

2. Detail:
   Demonstration here:
   Choose a malicious file which would be detected, such as nc.exe, rename the file as nc??.exe (?? =Hex C0 D7 BA DC)
   Then these malicious files will be not detected by antivirus scan.
   Because these special names are unable directly to input, so if you want to run these file, you should use the following way:
   [ROOT@D:\Vul\bugtrap]#dir /x
   1998-01-03  14:37            59,392 NC294E~1.EXE nc??.exe

   [ROOT@D:\Vul\bugtrap]#NC294E~1.EXE -help
   [v1.10 NT]
   connect to somewhere:   nc [-options] hostname port[s] [ports] ...
   listen for inbound:     nc -l -p port [options] [hostname] [port]
   Uses the MS-DOS name specification, we can operate file with Open、Read、Write、 and duplicate。
   In fact the most vendor all have the problem in regarding this king of file parse: For instance use the right key clicks these kinds of file, will be no scan option menu to show by Kaspersky antivirus, and Symantec AntiVirus Corporate V10.0.1.1000 will detected but can't remove it. AVG Anti-Virus will be passed by normally path scan mothod, but can't read the file if click the scan option menu.