Bipin Gautam wrote:
> hello list,
>
> This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan
> scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE
> THAN 1 YEAR OLD stuff but i see no fix till now!!!!
>
> lately i've ONLY tested it on the following AV & few other spyware
> scanner & saw its still NOT fixed!
>
> Kaspersky Anti-Virus 6.x (latest)
> BitDefender 9 Professional Plus (latest)
> NOD32 (latest)
>
> OS tested: WINxp sp2
>
> to keep things simple, let me give you a situation;
>
> if there is a directory/file a EVIL_USER is willing to hide from
> antivirus scanner all he has to do is fire up a command prompt & run
> the command;
>
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
>
>
> next time EVEN when the administrator starts the antivirus "system
> scan" the TORJANED_FILE_OR_DIRECTORY_NAME will be effectively
> bypassed as the ownership of the directory is just of the user account
> named; EVIL_USER and the antivirus "manual scan" is running just with
> the privilage of ADMINISTRATOR
>
This is similar to the problem of alternative data streams.
Essentially, the work needed to solve this problem isn't worth the
expenditure of time and effort, because the file, in order to infect the
system, has to be executed. Once the file is executed "normal"
on-access scanning will catch the exploit *if* it is known. (If it's
unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see"
the file, but even malicious files are benign until they are run.

--
Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?N0?Ø0?A 
Aì=§?ÄöÕÝÑe0
 *?H?÷


0Á10 UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0
990331000000Z
090330235959Z0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?0
 *?H?÷



0?¿êï?ë
Áù"ÁÑÁÌÛzÚ¾6Òp`0`åàS/5ôɨ)ÖÞ=ó?d}¾Ñ?Tx?ÿ¢xñû?«Ãü?LÂIA
áÀÒ¥×ü~ÿBQNtó
Õhs¥]1øæ)%c¨#?Dj?°9ñïÛFXú¸ÏKózÁ¢I??#Cº?2?

£¥0¢0
)U"0 ¤010UPrivateLabel1-1400 `?H
?øB


0DU =0;09`?H
?øE


0*0(+

https://www.verisign.com/RPA0U
0

ÿ
0U
0
 *?H?÷


S µÜ²¶?Ñ P?É8yÜȲI¿¸S?o?̲äz|ü£è_a^_??ZÒ?
"ñ¼íñT¶T¦T¡T¼iÇ!7¢?9?§¬ ?è?]?
H9Y?$ C¼??Ü?táæã¾j¤?11#%?¯º,Q?Y¦£?Ò´ÎT0?s0?Ü 
0?8âöØúÇ'Æ?EÐÀ0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
060721000000Z
070721235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?0
 *?H?÷



0?«P? L;帽?¿ÿN?C4ÓÝj¿©DQ?BùTÍn?"Î?æQ?#Ç>ª¯DéÙ2+Ù³¤±E:
??¸z??8?ù"Ö"è½ÎpXµX
 ?±ù
â$¶3\?
­Z?³µ%÷öÍïn;õv»¢èwfcÅ?í¡b?F?¥

£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
 0U%0+
+
0
 *?H?÷


5ð·
ku¶ºCO\ê¹ïG?ìEzBü?³^¬À?÷¥2üë&Ö?JFâ ?ЪuPPé̲ù+Ê%?ÝÌ&©mT¼¶¦ûÇh
?û¦°}ò?Í?Q??©°ú+büWýè÷ÅÏqXXJȨ¯ÆV6UÕ!ת ¸0?÷0?` 
G@±-
¸ñ? µ_=c0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
060721000000Z
070721235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?
"0
 *?H?÷



?
0?

?

¸lðíSvN½Ùê7·a_^
¬e7@Ëm#¼eþqb?fjl2íO'©?·R?,ǹàg<Ò?©÷SÒ?0Âò?}F,¾hzÒÄlþ?NrÔFæÊ?x¬ÖìlÀPe§Û9TS¢$ú?
1Ǥà=?¿:.ãnáÆè×iü¬£ÎJÜ®¢md)?1¼ÖtÁé'?¼áfm8Z?É?«±§P?\/(=&ü?h<|Q?
ýqºBâë&à?ìÅâ§P¡Çv)cfÉO>¥ ó96S)Çtä?ÉU_õp\?ý´óßZ?
ÝÙI]®ñK?e??zc¯Æ·!ÐÓ

£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
?0U%0+
+
0
 *?H?÷


=Pjcrª?:%ºs#NèÜ?EÈÈ´RB֐Ó)'ÖW¥ÉTѹ?v>Ï!É?og<\ê/¦?
ò?fb¸h¯!¦Â`úØ???õ?/)#ìD??»»3ø?J´Í}ÌÀ36'3?u?zÝ?¯©bn?Ku9¤ô|
MG1?0?

0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CAG@±-¸ñ? µ_=c0 + ?Ý0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060807203534Z0# *?H?÷

1Ô7z ñT´m ']ÒDÕFEç
é0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0?
 +

?71?
0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?8âöØúÇ'Æ?EÐÀ0?
*?H?÷

1?
 ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?8âöØúÇ'Æ?EÐÀ0
 *?H?÷



?
jÉ_Î9?Ño
0."?áxf/X}-?ÒITl»á´>Y¶Ó?Î&?¿ÂÒ©lÅR~èlY?ó?)?ÂÂNy14?ÙPl8ý躧êEJuÏ­q¯òPÉ ](y ¹?}z©pùG¸?ß?i@uXè¥?åP¦è{j¢ðÈ¥?xÉèô.&ÍG&CVb/ÒÏbR²?s¿p?Z[ûcG°hð0LÒ?
¦²¬:3 Õ;ø®Ø8Î=j²ë4p?J«àY ß]Êo??_Yþ¢³R£©S¥û¬5W­Â
×öÎÝZ<Ms?P·HÒñÝ{ ;dw²?íÖ?éNÙ㬽í

[ reply ]