GDI+ bug exploit Mutations

Viruses and worms
1

Most Antivirus software can’t detect Mutations of GDI+ exploit.

ANALYSIS

  1. Most Antivirus vendors issues virus definitions for known
    exploit code [1] witch uses \xFF\xFE\x00\x01 string for
    buffer overflow.

From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.

So, by changing \xFE to one of this - \xE1, \xE2, \xED
and\or by changing \x01 to \x00 this exploit will be
UNDETECTED by many antiviruses (list attached).

  1. While original exploit code use buffer overflow string
    near the BEGINNING of the image file (after \xFF\xE0 ,
    \xFF\xEC and \xFF\xEE markers), I was able to create image
    with buffer overflow string at the MIDDLE of the file.

  2. By combining various strings from methods described under

  3. and 2) and by placing them in different locations in the
    image file I was able to bypass various antivirus products.

Results of a file scan

This is the report of the scanning done over “1.jpg” (see
Demo section) file that VirusTotal processed on 10/13/2004 at
18:54:56.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Backdoor.Roxe
TrendMicro 7.000 10.12.2004 Exploit-MS04-028

For 2.jpg

Results of a file scan
This is the report of the scanning done over “2.jpg” file
that VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000 10.12.2004 Exploit-MS04-028

Only “The BIG 3” was able to detect those variants.

http://lists.netsys.com/pipermail/full-disclosure/2004-October/027530.html

2

It is not the task of a av application to detect/deal with exploits. It is the developpers task of the OS/application who should fix it imo. So what is the meaning of you telling this?

3

only the big three were able to detect it, now how can that be said, as reading what is posted, there is no sign of avast.

But as Eddy said, an anti virus is not there to fix the problems of the OS, gawd, if it was most anti virus companies would need to hire a heck of a lot more people