New shutdown vulnerability

Please see this file http://zeroday-software.110mb.com/sss-final.zip
It can easily create a EICAR virus test file and dodge both avast and threatfire. :-[
I am using Avast+Threatfire+Outpost firewall
But, outpost can survive it. >:(

Please follow the procedure given in pictures and try.
(It is only a test program, It does not contain any viruses)

I have posted it on mediafire, because i could not upload more than 200 kb here.
The link is http://www.mediafire.com/?mixnzmy0yiz

Please consider downloading the file and checking. It’s really serious

I really don’t understand what it is you are trying to get at.

The eicar test file has clearly defined standards and format and changing those means it is no longer an eicar test file, so won’t be detected as such. Outside of the eicar code it would be a benign text file as none of the content would match malicious signatures.

See http://www.virustotal.com/analisis/c8d3d6b93082dae647c7b191c4e4082c754b1cc67c2c4052dbc6e4efad04758e-1253369256 for results of a scan by 41 different AV engines.

A. I see, isn’t that System Shutdown Simulator? So you mean avast can’t patch up the hole it creates when PC is shutting down?

Edited: wrong post.

Comodo Internet Security 3.12.x Defense+ (HIPS) and firewall alert on all tests.


http://i45.photobucket.com/albums/f66/jahnjahn/th_2009-09-19_201306.png


http://i45.photobucket.com/albums/f66/jahnjahn/th_2009-09-19_201554.png


http://i45.photobucket.com/albums/f66/jahnjahn/th_2009-09-19_201713.png


http://i45.photobucket.com/albums/f66/jahnjahn/th_2009-09-19_202813.png

Yes, L’arc got it right.
Avast cant patch the hole that occurs while PC shuts down.
And if this is right, why cant a virus automatically stimulate a shutdown and infect system files.

I’m happy to see that Comodo got it.

As I’m a newbie, I cant understand Tech’s reply as ‘Edited:Wrong Post’

I learnt to post pictures in forum
Please see the pictures. This is what I mean to say

http://lh6.ggpht.com/_uCRjTJKVESQ/SrYATVVuNjI/AAAAAAAAACw/U6Ub0MelOLQ/s800/snap%201.png

http://lh5.ggpht.com/_uCRjTJKVESQ/SrYATaIh8wI/AAAAAAAAAC0/k1kSkw7ABWk/s800/snap%202.png

http://lh4.ggpht.com/_uCRjTJKVESQ/SrYATi-ryyI/AAAAAAAAAC4/k7UtARxNS9M/s800/snap%203.png

http://lh3.ggpht.com/_uCRjTJKVESQ/SrYATs4mS0I/AAAAAAAAAC8/6nKjngRKB20/s800/snap%204.png

It appears like avast shuts down way too early.

HIPS would probably be able to control this vulnerability. But from what I know, avast 5 wont be using HIPS.

ashdisp.exe isn’t necessary for protection. You just closed the GUI. ashServ.exe is the core detection and protection engine. And from what i see, it’s still running.

Still, even though ashServ.exe is active, avast doesn’t seem to react/detect the generated EICAR test file

Yes, avast doesn’t react to generated EICAR file. Again L’arc got it right

If avast doesn’t react to EICAR file, It would not react to infection of system files either. Thus the system can become infected very easily ???

Not true.
If ashDisp.exe is not running, avast! doesn’t ask what to do with the infected file (or Eicar) - and simply blocks it right away (when it’s about to be executed).

The EICAR file remains after restart. If a manual scan of the path of sss.exe is done after restart, avast detects the eicar file.
So, it means that avast doesn’t block.

Well, can you execute the eicar file?

I think you missed the point, it is blocked if something tries to execute it.
(at least that is how I read it)

igor,

What about the standard shield ‘scan created/modified files’? should this not catch it?

oops, missed igor’s post :wink:

Scanning created/modified files is “on close” - so even if ashDisp.exe is running and avast! is able to ask, it asks after the file is created (or infected), i.e. when the malware is already on disk.
Here, it can’t ask, so it doesn’t do anything.

Silent mode could work as well… don’t know.

So that setting requires ashDisp?
Is that right?
It is still caught by other methods when executed though.

avast! “doesn’t do anything”. But can you execute EICAR? If file is left on disk, that doesn’t mean avast! didn’t prevent its execution. The execution was blocked, the file was just not deleted/quarantined. Thats all. So in the end avast! did detect the file, but since it’s graphic user interface was terminated it just blocked the file and finishes at that. If GUI was available, it would have asked the user what do to with the file. So bottom line, i don’t see this as vulnerability. Unless you can get the malware to execute when ashDisp.exe is terminated.