Antivirus Scanners DoS attack

[Fr33k]

I have tested Avast! with the Antivirus Scanners DoS attack as reported on bugtraq. I finally got tired of waiting for the manual scan to complete after several minutes, and I cancelled the operation. Is Alwil aware of this? Is there a fix in progress?


Avast! Professional 4.1.418

[RejZoR]

Don't understand what you want to say?

[Vlk]

I do undestand. The archives you mean.

We're aware of that and looking at possibilities to be as immune as possible... although it's not entirely possbile...

[Fr33k]

The following was reported on bugtraq. (securityfocus.com)

I doubt how many Antivirus/Trojan/Spyware scanners will choak to death while having a "manual scan" of this file. Please go ahead and give it a try.

http://www.geocities.com/visitbipin/SERVER_dwn.zip

I was woundering, what would be the results if such file gets stucked in an "AV gateway"

I tested this file, and Avast! can't find the Escar file in the zip.
In my experience, once an exploit is reported it's only a matter of time before it is seen in the wild. I was asking if Awlil was aware of the problem and if they are working on a solution.

[Vlk]

Actually on my P4/3GHz the eicar is found in about 3 minutes... but anyway it's not good. We'll find a solution.


Please note that this ZIP is actually one of many - similar techniques exist and have been shown for all major archive formats and use different tricks. So a general solution is not really simple to find...

[Technodrome]

Yup. It takes a while for avast! to complete scan. It took less then 9 Sec for Command Antivirus to complete scan.


tECHNODROME

[Fr33k]

I tested it again without stopping it. Big mistake.

AMD XP-M 2500+ Avast Professional

After 20+ minutes the scanner crashed because it ran out of disk space. It used all 20G of free space I had. I had to restart and manualy delete the temp files.
I ran a boot scan and it scanned the zip quickly but did not find the eicar.

Tried a different machine.
AMD 64-M 3000+ Avast Home

Found the eicar in 11 minutes with no other problems. I did not try the boot scan on this machine. (40G of free disk space)

[Dwarden]

Strange...

nforce2 AMD XP3200+ , 1GB DDR400, STRIP SATA Raid, Windows XP Pro SP2 RC2

1st scan


Avast Pro needed 128seconds to find it
Avast Pro used 6MB temp space

GOTCHAAAAAAAAAAAAAAAAAAA

i renamed and i moved this file to another folder

2nd scan

D:\Downloads\a\111111111111111111111111111111111111111111234SERVER_dwn.zip

used right mouse menu Find Viruses in <filename>

then i repeated scan

scanner IMMEDIATELY become use 400MB of RAM and instead of using 6MB of space, it used 20MB / second, draining over 2GB of temp space and crashing ...

3rd scan

i was trying to pust close at window to stop Avast scanning but scanner freezed and refused to free used avast's TEMP files in TEMP folder ...

serious flaws

[RejZoR]

So this is something more like decompression bombs? Nice

[Vlk]

Well this IS a decompression bomb, nothing else...

[RejZoR]

Actually this flaw is only noticeble if you use Archive real-time scanning (useless) and all files scanning (also quiet useless).