12-04-2012, 04:37 PM
0wning Antivirus
0wning-Antivirus1.ppt (Size: 58 KB / Downloads: 31)
Why AV?
Attractive Attack Surface
Gateways, Servers, Clients, ISP’s, Third Party Vendor Products
Heterogeneous and Layered Environments
How Does AV work?
Signature vs. Behavior
Pattern-matching / regex
File-format decomposition
Code Coverage - Signatures
Field Values
Max Len (eg. ARJ header len 0xa28)
Magic (eg. PECOFF – “MZ” & “PE”)
Field Sizes
PE Section Header 0x28
Tar Object 0x200
Strings
PECOFF – section labels, common libraries
Ida Examples
LHA
ARJ
UPX
Code Coverage –Constructs
Inherited File Structures & Commonly Grouped Processors
Are annoying to trace, due to indirection
Can reveal more subtle unchecked copies
Ex: Is MZ -> Is PE -> Is UPX
O-Day Detection
Generally very minimal capabilities
Measure virus propagation by number of infected customers.
Evasion?
Write a new virus.
Audit Points – Memory Corruption
String Based Formats
These can be hard to implement correctly
StringToNumber conversions are interesting
Ex: TNEF, MIME, PDF
Audit Results
Symantec
Unchecked offset reconstructing UPX PE header
Can be triggered by providing a negative offset to prior heap chunk containing MZ header with crafted PE header
Heap overflow with no character restrictions