Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update- Dec 09 2008 04:34PM
xhakerman2006 yahoo com
Litel Update.

in the previous advisory there was some wrong report because of, the update of anti-virus product version.


Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass

[_] Discovred by : DATA_SNIPER

[_] Greets to: hacker c&c Team , Arab4Services team on www.arab4services.net , AT4RE Team on www.at4re.com

[_] Special thanks go to: Andrey Bayora and all arabian hackers specialy algerian hackers.


this exploit are based on Andrey Bayora "magic of magic byte" but with some development.

This proof of concept was created for educational purposes only,Use the code it at your own risk.

The author will not be responsible for any damages.


Exploit Information:

Date: 2008/19/08

Impact: Baypassing the Detection of Malicious web page that can compromise a user's system

Vulnerabled AV-Software:

ESET Smart Security Latest Version<=(the Exploit was dedicated for it)

AhnLab-V3 2008.12.4.1

AntiVir 2008.12.04

Avast 4.8.1281.0

CAT-QuickHeal 10.00

ClamAV 0.94.1


Ewido 4.0

Ikarus T3.

K7AntiVirus 7.10.541

NOD32 3662

Norman 5.80.02


Prevx1 V2



Sunbelt 3.1.1832.2


TrendMicro 8.700.0.1004

ViRobot 2008.12.4.1499

the things that must be considered that the POC it's variant from exploit to exploit(some times

Kaspersky and the other famous AV Sofware can be deceive).

Proof Of Concept:

as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7 execute the HTML Event if it's in txt file or non extension files.

so the exploit it's with corporate of IE6&7 :).

virustotal result of MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit


and print screen for the scann in VirusTotal.





1-add the MZ Header to the HTML file:

MZگ   ےے ¸ @ ط ؛ ´ ح!¸Lح!This program cannot be run in DOS mode.

you can put other EXE info on the HTML Body for more deception.

-rename the HTML to non extension file or txt or jpg.

3-upload it to webserver.

http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.

video POC:

Simple video explain how the vulnerability can be exploited under ESET Smart Security (arabic).


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus