Focus on Virus
Antivirus programs and Exploits Oct 06 2006 08:01AM
Andrei Saygo (asaygo as ro)
Antiviruses and Exploits
- case study -

It's about exploits and how antiviruses can defend computers against them,
until a patch is released.

As an example I've selected CVE-2006-3730:

I did a short study with the Proof of Concept (PoC) code that can be found

The original PoC html file and other 2 versions of it that were modified
by me.

Virus signatures:
The signatures that were available at 9:30AM GMT+2, 06 Oct. 2006

Since I've used only a few scanning engines, it won't be fair to mention
only some of them and I don't want to spoil your fun to discover if/how
your current AV detects the exploit.

How the test was made:
From the original html file, I've created another 2. One that was just a
little bit modified and the other that had garbage functions/comments. I
didn't use a garbage generator, just what someone could write in ~30
seconds. After that I have verified if the exploit remains the same (with
OllyDbg v1.10) and if they could crash Internet Explorer
6.0.2900.21800.xp_sp2. They did!
Then I've scanned the folder that had those 3 files in it, with every
Antivirus that I had installed (freeware/trial versions) and compared the

The result:
Some of the AV's did not even detect the original PoC code.
Others picked it up and even detected the one that had minor modifications.
Unfortunately none of the AV's that I've tested, detected the third file,
the one with
garbage functions/comments.

Even if antiviruses are struggling to protect the users from different
kinds of exploits, they can assure only a minimal security until a patch
is released for the security flaw.
I will not discuss here what needs to be added in the antivirus engines in
order to recognize exploits, no matter of how the samples are modified,
because it?s not the purpose of this article.
The security of the systems can be increased by adding more filtering
layers that can detect modified variants of 0 day exploits, but even this
will not assure 100% protection. So the main idea is to use as many
security layers as possible in order to achieve a higher level of

If there is someone interested for the modified samples, my e-mail address
is : asaygo (at) as (dot) ro [email concealed] / andrei.saygo (at) gmail (dot) com [email concealed]

ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus