(Miami, FL) – HackMiami researcher Jason of n00bz.net revealed a 0day muti-vendor AntiVirus bypass vulnerability at the Hacker Halted conference in Miami last Thursday.
After disclosing the vulnerability to vendors and awaiting a patch release by McAfee, Jason presented the proof of concept methodology at the conference by successfully executing malicious code on target machines that were fully protected by anti virus ‘resident shield’ software.
The principle behind the vulnerability is that although AV software is supposed to alert a user when malicious code is detected and block its execution, the tested AV products only detected the malicious code AFTER it had been executed and loaded to memory. This will result in successful infection of the target machine using any known payload, such as a Zeus trojan.
The flaw resides in the way AV products deal with protocol handlers. A full write up by Jason can be found here.
Vulnerable Anti-Virus Products
CVE-2010-3496 – McAfee – patch available
CVE-2010-3497 – Symantec/Norton – recommends purchasing additional Firewall software (this is like putting a band-aid on a severed limb)
CVE-2010-3498 – AVG – no reply from vendor
CVE-2010-3499 – F-Secure – Working fix into next release