Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Kobra on June 17, 2004, 01:34:55 AM

Title: Avast susceptible to archive bombing. =(
Post by: Kobra on June 17, 2004, 01:34:55 AM

Just tested this tonight, and since this actually does have the ability to shut down an AV product, it could preceed an actual threat to turn off an AV, then launch the payload behind the archive i'd imagine. Anyway, I believe the file is recursive zip file containing Eicar at its core, but set to unpack unlimited amounts of a single character, which puts AV products in an endless loop, effectively locking them up.  

Now Avast does not lock up, but it endless tries to open the file and scan it, and seems to loop into nothingness.  

Since this isn't a real virus, and is merely a packed Eicar file, i've placed this up for download so everyone can test it for themselves if they wish.  In addition, hopefully the Avast folks will find a way to deal with this.

http://home.comcast.net/~prolawn00/test.zip

Regards.

Title: Re:Avast susceptible to archive bombing. =(
Post by: Kobra on June 17, 2004, 02:08:29 AM

Self reply.. Possible solution found that Avast can implement?

I've found only one AV so far that this archive can't bring down, and thats that little Polish gem I found last night.  They seem to use a pretty simple method to eliminate this type of problem - or at least control it.

http://home.comcast.net/~prolawn00/mksa.JPG
(This is it finding the Eicar file, no other AV so far found it, they all hung)

http://home.comcast.net/~prolawn00/mksb.JPG
(This is how I believe they control it, you set the archive scanning scanning level)

I'll run the file through more AV's, but its taken down KAV and DrWeb's online scanners, thats for sure.

Title: Re:Avast susceptible to archive bombing. =(
Post by: MikeBCda on June 17, 2004, 03:33:20 AM

Just in case anyone else tried this (my system clogged too, I manually aborted before any hint of warnings about the Eicar) and is going crazy trying to find the many gigs of temp files so they can be dumped ...

On my XP-Home, they wound up under Documents & Settings/Michael/ ....etc.  I originally did a search in Explorer for extra-large files but, oddly, that turned up nothing.  I finally tried re-scanning with avast with archive-checking turned off (still a thorough scan) and made a note of where it was spending an unusual amount of time due to the file sizes, and that's where they were.

Title: Re:Avast susceptible to archive bombing. =(
Post by: Kobra on June 17, 2004, 03:55:47 AM

The problem is actually that there is over 100GB of data to unpack
before it can scan.  If you look very carefully it is a rar file with
a 13.5GB file in it, then there is 5 copies of that, as well as other
large files as well, I think it is around 100GB total.

Most mail servers don't even have that space to unpack it.

The resulting file is actually only 125KB though.

That's what really causes the problem.

Title: Re:Avast susceptible to archive bombing. =(
Post by: Dwarden on June 17, 2004, 06:30:53 AM

i already commented this in other thread http://forum.avast.com/index.php?board=2;action=display;threadid=5254

my Avast find eicar file there at 1st try, but trying to "RESCAN" that file = bye bye scanner

Title: Re:Avast susceptible to archive bombing. =(
Post by: RejZoR on June 17, 2004, 07:55:36 PM

You don't really need much knowledge to make a decompression bomb. Right now i'm making two bombs. One is a Nuclear Cypher Bomb and second one is Bit2BitBomb. Testing will be done soon. I love this stuff. Its so damn simple and it has a killing effect.

PS: Kids don't do this at home and don't use it for nasty things ;)

Title: Re:Avast susceptible to archive bombing. =(
Post by: EVdB on June 18, 2004, 12:54:15 AM

Quote

I've found only one AV so far that this archive can't bring down, and thats that little Polish gem I found last night.  They seem to use a pretty simple method to eliminate this type of problem - or at least control it.

Sorry to disappoint you, guys, but BitDefender has no problem whatsoever with this zip-file. It doesn't even consider it a virus, but an Eicar testfile. Time to scan it was almost instant.
This was done on my PC for work. Avast Pro is installed on my personal PC.  ;)

Title: Re:Avast susceptible to archive bombing. =(
Post by: Kobra on June 18, 2004, 02:02:30 AM

KAV based engine products recognize it as a mail bomb, apparently with Signatures. But other products just limit the depth of archive scanning.

Bit defender surprises me that it picks it up, but it could be because bit defender hardly even unpacks stuff, probably just a limit of its engine, picking up the first Eicar, and stopping its scan automagically.  My testing showed very little ability to scan within archives/packed files with BitDefender.

Title: Re:Avast susceptible to archive bombing. =(
Post by: Max M.Wachtel III on June 18, 2004, 02:50:07 AM

Where can I find info on"mail bombs"?
I never heard of it.
-max

Title: Re:Avast susceptible to archive bombing. =(
Post by: pk on June 18, 2004, 02:56:13 AM

Quote from: madmax on June 18, 2004, 02:50:07 AM

Where can I find info on"mail bombs"?
I never heard of it.

Try this link: http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html

Title: Re:Avast susceptible to archive bombing. =(
Post by: Max M.Wachtel III on June 18, 2004, 03:07:36 AM

Thanks pk, there is so much I have to learn :)
-max