Author Topic: New shutdown vulnerability  (Read 7725 times)

0 Members and 1 Guest are viewing this topic.

jaikrishna

  • Guest
New shutdown vulnerability
« on: September 19, 2009, 11:38:48 AM »
Please see this file http://zeroday-software.110mb.com/sss-final.zip
It can easily create a EICAR virus test file and dodge both avast and threatfire.  :-[
I am using Avast+Threatfire+Outpost firewall
But, outpost can survive it. >:(

Please follow the procedure given in pictures and try.
(It is only a test program, It does not contain any viruses)

I have posted it on mediafire, because i could not upload more than 200 kb here.
The link is http://www.mediafire.com/?mixnzmy0yiz

jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #1 on: September 19, 2009, 02:03:13 PM »
Please consider downloading the file and checking. It's really serious

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: New shutdown vulnerability
« Reply #2 on: September 19, 2009, 04:07:07 PM »
I really don't understand what it is you are trying to get at.

The eicar test file has clearly defined standards and format and changing those means it is no longer an eicar test file, so won't be detected as such. Outside of the eicar code it would be a benign text file as none of the content would match malicious signatures.


See http://www.virustotal.com/analisis/c8d3d6b93082dae647c7b191c4e4082c754b1cc67c2c4052dbc6e4efad04758e-1253369256 for results of a scan by 41 different AV engines.
« Last Edit: September 19, 2009, 04:11:54 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: New shutdown vulnerability
« Reply #3 on: September 19, 2009, 04:31:48 PM »
 A. I see, isn't that System Shutdown Simulator? So you mean avast can't patch up the hole it creates when PC is shutting down?
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: New shutdown vulnerability
« Reply #4 on: September 19, 2009, 05:40:46 PM »
Edited: wrong post.
The best things in life are free.

Jahn

  • Guest
Re: New shutdown vulnerability
« Reply #5 on: September 20, 2009, 03:59:21 AM »
Comodo Internet Security 3.12.x Defense+ (HIPS) and firewall alert on all tests.





jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #6 on: September 20, 2009, 12:10:11 PM »
Yes, L'arc got it right.
Avast cant patch the hole that occurs while PC shuts down.
And if this is right, why cant a virus automatically stimulate a shutdown and infect system files.

I'm happy to see that Comodo got it.

As I'm a newbie, I cant understand Tech's reply as 'Edited:Wrong Post'

jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #7 on: September 20, 2009, 12:19:22 PM »
I learnt to post pictures in forum
Please see the pictures. This is what I mean to say

1.


2.


3.


4.

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: New shutdown vulnerability
« Reply #8 on: September 20, 2009, 01:07:56 PM »
 It appears like avast shuts down way too early.

 HIPS would probably be able to control this vulnerability. But from what I know, avast 5 wont be using HIPS.
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: New shutdown vulnerability
« Reply #9 on: September 20, 2009, 01:08:36 PM »
ashdisp.exe isn't necessary for protection. You just closed the GUI. ashServ.exe is the core detection and protection engine. And from what i see, it's still running.
Visit my webpage Angry Sheep Blog

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: New shutdown vulnerability
« Reply #10 on: September 20, 2009, 03:54:42 PM »
 Still, even though ashServ.exe is active, avast doesn't seem to react/detect the generated EICAR test file
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #11 on: September 20, 2009, 04:01:25 PM »
Yes, avast doesn't react to generated EICAR file. Again L'arc got it right

jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #12 on: September 20, 2009, 04:03:55 PM »
If avast doesn't react to EICAR file, It would not react to infection of system files either. Thus the system can become infected very easily ???

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: New shutdown vulnerability
« Reply #13 on: September 20, 2009, 04:05:12 PM »
Not true.
If ashDisp.exe is not running, avast! doesn't ask what to do with the infected file (or Eicar) - and simply blocks it right away (when it's about to be executed).

jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #14 on: September 20, 2009, 04:12:20 PM »
The EICAR file remains after restart. If a manual scan of the path of sss.exe is done after restart, avast detects the eicar file.
So, it means that avast doesn't block.