Author Topic: Antivirus Scanners DoS attack  (Read 5434 times)

0 Members and 1 Guest are viewing this topic.

Fr33k

  • Guest
Antivirus Scanners DoS attack
« on: June 15, 2004, 06:50:30 PM »
I have tested Avast! with the Antivirus Scanners DoS attack as reported on bugtraq. I finally got tired of waiting for the manual scan to complete after several minutes, and I cancelled the operation. Is Alwil aware of this? Is there a fix in progress?


Avast! Professional 4.1.418

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9407
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Antivirus Scanners DoS attack
« Reply #1 on: June 15, 2004, 07:00:47 PM »
Don't understand what you want to say?
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Antivirus Scanners DoS attack
« Reply #2 on: June 15, 2004, 07:05:04 PM »
I do undestand. The archives you mean.

We're aware of that and looking at possibilities to be as immune as possible... although it's not entirely possbile...
If at first you don't succeed, then skydiving's not for you.

Fr33k

  • Guest
Re:Antivirus Scanners DoS attack
« Reply #3 on: June 15, 2004, 07:14:27 PM »
The following was reported on bugtraq. (securityfocus.com)

I doubt how many Antivirus/Trojan/Spyware scanners will choak to death while having a "manual scan" of this file. Please go ahead and give it a try.

http://www.geocities.com/visitbipin/SERVER_dwn.zip

I was woundering, what would be the results if such file gets stucked in an "AV gateway"


I tested this file, and Avast! can't find the Escar file in the zip.
In my experience, once an exploit is reported it's only a matter of time before it is seen in the wild. I was asking if Awlil was aware of the problem and if they are working on a solution.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Antivirus Scanners DoS attack
« Reply #4 on: June 15, 2004, 07:18:24 PM »
Actually on my P4/3GHz the eicar is found in about 3 minutes... but anyway it's not good. We'll find a solution.


Please note that this ZIP is actually one of many - similar techniques exist and have been shown for all major archive formats and use different tricks. So a general solution is not really simple to find...
If at first you don't succeed, then skydiving's not for you.

Technodrome

  • Guest
Re:Antivirus Scanners DoS attack
« Reply #5 on: June 15, 2004, 07:30:21 PM »
Yup. It takes a while for avast! to complete scan. It took less then 9 Sec for Command Antivirus to complete scan.


tECHNODROME

Fr33k

  • Guest
Re:Antivirus Scanners DoS attack
« Reply #6 on: June 16, 2004, 04:53:08 AM »
I tested it again without stopping it. Big mistake.

AMD XP-M 2500+ Avast Professional

After 20+ minutes the scanner crashed because it ran out of disk space. It used all 20G of free space I had. I had to restart and manualy delete the temp files.
I ran a boot scan and it scanned the zip quickly but did not find the eicar.

Tried a different machine.
AMD 64-M 3000+ Avast Home

Found the eicar in 11 minutes with no other problems. I did not try the boot scan on this machine. (40G of free disk space)

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Antivirus Scanners DoS attack
« Reply #7 on: June 16, 2004, 08:04:14 PM »
Strange...

nforce2 AMD XP3200+ , 1GB DDR400, STRIP SATA Raid, Windows XP Pro SP2 RC2

1st scan


Avast Pro needed 128seconds to find it
Avast Pro used 6MB temp space

GOTCHAAAAAAAAAAAAAAAAAAA

i renamed and i moved this file to another folder

2nd scan

D:\Downloads\a\111111111111111111111111111111111111111111234SERVER_dwn.zip

used right mouse menu Find Viruses in <filename>

then i repeated scan

scanner IMMEDIATELY become use 400MB of RAM and instead of using 6MB of space, it used 20MB / second, draining over 2GB of temp space and crashing ...

3rd scan

i was trying to pust close at window to stop Avast scanning but scanner freezed and refused to free used avast's TEMP files in TEMP folder ...

serious flaws :)
« Last Edit: June 16, 2004, 08:15:09 PM by Dwarden »
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9407
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Antivirus Scanners DoS attack
« Reply #8 on: June 16, 2004, 08:47:49 PM »
So this is something more like decompression bombs? Nice :) ;)
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Antivirus Scanners DoS attack
« Reply #9 on: June 16, 2004, 08:58:41 PM »
Well this IS a decompression bomb, nothing else...
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9407
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Antivirus Scanners DoS attack
« Reply #10 on: June 16, 2004, 09:04:34 PM »
Actually this flaw is only noticeble if you use Archive real-time scanning (useless) and all files scanning (also quiet useless).
Visit my webpage Angry Sheep Blog