Evasion bug bites virus shields
Security researcher says an issue in several antivirus products could let malicious files pass undetected, but some in the industry say it's not a flaw.
By adding some data to a file, an attacker could trick virus scanners into letting a malicious executable file pass through, security researcher Andrey Bayora wrote in an advisory last week. The problem lies in the scanning engine, which won't detect files that have the extra data. Bayora refers to that extra data as the "Magic Byte."
The problem affects numerous antivirus products, including software from Trend Micro, McAfee, Computer Associates and Kaspersky Lab, said Bayora, who works as a computer security consultant in Israel. His advisory also lists several products that are not affected, including software from Symantec, F-Secure and BitDefender.
"This is one of the most significant antivirus vulnerabilities of recent times, as it affects the majority of scanner software," Bayora wrote in an article on his Web site that details the issue.
Bayora originally disclosed details of the flaw on Oct. 24. Since then, the topic has been the topic of lively discussions on the popular Full Disclosure security mailing list.
The issue is further evidence that researchers are increasingly looking for holes in security products. Protective technology is commonly installed on PCs, servers, network gateways and mobile devices. As security software becomes more widespread, it becomes a more attractive target to cybercriminals, experts have said.
But in this case, what Bayora calls out as a vulnerability in virus-scanning engines, some in the industry see as inherent to signature-based protection of antivirus software.
"It's not a real security vulnerability, as this is the way antivirus scanners work: If someone creates a new malware, the antivirus industry will create a new signature for it," said Andreas Marx, an antivirus software expert at the University of Magdeburg in Germany. "This way always leaves a detection and protection gap."
The signature lists used in antivirus software are like a dictionary of descriptions of known viruses. The virus-scanning process looks for matches against that dictionary. If a new threat is found, a signature is added.
Bayora actually created a variant of a virus, said Ken Williams, a representative of Computer Associates. "Modifying a virus to the point where it is no longer detectable does not qualify as a vulnerability. Most viruses are modified in this way over time on a regular basis, and CA treats this as a new virus variant," he said in a statement.
But Kaspersky and Trend Micro do see the Magic Byte issue as a software flaw and are offering updates to fix it.
"A patch for affected products is currently being tested and should be available within a week," Kaspersky said in a notice on its Web site. Trend Micro has addressed the "potential vulnerability" in the latest version of its virus pattern files, a representative said in an e-mailed statement.
According to Trend Micro, the problem in its product is limited to one specific type of potential virus file that typically would be blocked in most enterprise e-mail systems and would need to be executed manually. In a posting to a security mailing list, Bayora identified that file type as a batch, or .bat, file.
McAfee did not respond to requests seeking comment for this story.